posixgroup name lookups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2008-11-20 at 14:43 -0800, George Holbert wrote:
> John A. Sullivan III wrote:
> > On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote:
> >   
> >> Jonathan Barber wrote:
> >>     
> >>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:
> >>>   
> >>>       
> >>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
> >>>>     
> >>>>         
> >>>>> John A. Sullivan III wrote:
> >>>>>       
> >>>>>           
> >>>>>>> John A. Sullivan III wrote:
> >>>>>>>           
> >>>>>>>               
> >>> [snip]
> >>>
> >>>   
> >>>       
> >>>> <snip>
> >>>> Thanks for the very thoughtful answer.  I'm not only new to LDAP but
> >>>> also to Linux based file servers.  I've been in a management role for
> >>>> the last decade and before then was doing NDS and NetWare for
> >>>> directory/file.
> >>>>
> >>>> We were planning to use a umask of 007 for standard users and set the
> >>>> sgid bit for shared folders.  That's where we thought it would be
> >>>> helpful to have a group associated with each user.  In fact, it finally
> >>>> made the default setup of creating a group for each user make sense as I
> >>>> always wondered why that was done.  I suppose we'll also need to
> >>>> activate file system acls for more complex setups as when multiple
> >>>> groups need varying access to a shared file system directory.
> >>>>     
> >>>>         
> >>> This arrangement is known (at least by Redhat) as User Private Groups
> >>> (UPG):
> >>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html
> >>>
> >>> The primary reason for doing it is that group access to files is managed
> >>> via secondary group membership, not primary group membership
> >>>
> >>> If each of your users has their own group, then adding a posixGroup
> >>> objectclass to each user makes perfect sense. You may also want to place
> >>> an uniqueness constraint on the gidNumber attribute as well:
> >>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in
> >>>
> >>> WRT to linux, the only gotcha I can think of is that you'll have to set
> >>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's
> >>> the common parent to both your users and groups - otherwise it'll never
> >>> find the UPG's.
> >>>
> >>>   
> >>>       
> >> Another way would be to omit the addition of the posixGroup on your 
> >> account objects, and just modify the filter on nss_base_group to include 
> >> posixAccounts.
> >> e.g.:
> >> nss_base_group  
> >> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount))
> >>
> >> posixAccount already includes the gidNumber and cn attributes, which is 
> >> all you're really after here... unless you want to start adding 
> >> memberUid attributes to your account objects (which doesn't make any 
> >> obvious sense).
> >>
> >> You will almost certainly have to modify your nss_base_group setting in 
> >> either case, as Jonathan suggested.
> >>
> >>     
> > <snip>
> > Alas, I'm not sure this is going to work as expected but it could be my
> > ignorance.  I've read the man page and whatever documentation I could
> > find.  It appears it does an & operation with the additional filter
> > whereas I need an |.
> >
> > I gather the default is:
> > &(objectClass=posixgroup)(cn=group_name)
> >
> > I think I need it to be:
> > |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name)))
> >
> > If it does an &, I think I get:
> > &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name)))
> >
> > Nevertheless, I tried all of the following without success:
> >
> > nss_base_group          dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount)
> >
> > nss_base_group          dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name))
> > this broke the posixgroup filter, too!
> >
> > nss_base_group          dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name)
> > this broke the posixgroup filter, too!
> >
> > nss_base_group          dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name)
> > this broke the posixgroup filter, too!
> >
> > nss_base_group          dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)
> > this broke the posixgroup filter, too!
> >
> > nss_base_group          dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)
> >
> > I did flush the nscd group database between each try.  What am I doing
> > wrong? Thanks - John
> >   
> It's not immediately obvious to me where the problem is.
> But, have you tried reviewing your LDAP server's access log?
> That's often a huge help for troubleshooting this kind of thing.
<snip>
Thanks.  I do see what it is doing but I'm still not sure how to
configure the nss_base_group for two reasons which I'll state in a
second.  Here is a query when I do an ls -l on a directory so it needs
to resolve the gidnumber to a group name:

filter="(&(objectClass=posixGroup)(gidNumber=103000)(|(&(objectClass=posixAccount)(gidNumber=group_number))))"

This is what happens if I try to do a chgrp and it thus needs to resolve
a name to a number:

filter="(&(objectClass=posixGroup)(cn=barry.knowles)(|(&(objectClass=posixAccount))))"

The first question is where to find the variables which are replaced by
the actual values.  You can see I guessed at group_number in the first
case and was wrong.  How do I build a filter which will substitute
103000 when I am seeking that particular gidnumber?

The second question is the sought attribute seems to vary depending on
the function.  How do I create the filter to search on gidnumber in the
first case and cn in the second?

Sorry if I'm being dense.  I'm quite new to all this - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux