On Fri, 2008-11-21 at 09:10 -0700, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > > > >> Jonathan Barber wrote: > >> > >>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > >>> > >>> > >>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > >>>> > >>>> > >>>>> John A. Sullivan III wrote: > >>>>> > >>>>> > >>>>>>> John A. Sullivan III wrote: > >>>>>>> > >>>>>>> > >>> [snip] > >>> > >>> > >>> > >>>> <snip> > >>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but > >>>> also to Linux based file servers. I've been in a management role for > >>>> the last decade and before then was doing NDS and NetWare for > >>>> directory/file. > >>>> > >>>> We were planning to use a umask of 007 for standard users and set the > >>>> sgid bit for shared folders. That's where we thought it would be > >>>> helpful to have a group associated with each user. In fact, it finally > >>>> made the default setup of creating a group for each user make sense as I > >>>> always wondered why that was done. I suppose we'll also need to > >>>> activate file system acls for more complex setups as when multiple > >>>> groups need varying access to a shared file system directory. > >>>> > >>>> > >>> This arrangement is known (at least by Redhat) as User Private Groups > >>> (UPG): > >>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > >>> > >>> The primary reason for doing it is that group access to files is managed > >>> via secondary group membership, not primary group membership > >>> > >>> If each of your users has their own group, then adding a posixGroup > >>> objectclass to each user makes perfect sense. You may also want to place > >>> an uniqueness constraint on the gidNumber attribute as well: > >>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > >>> > >>> WRT to linux, the only gotcha I can think of is that you'll have to set > >>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > >>> the common parent to both your users and groups - otherwise it'll never > >>> find the UPG's. > >>> > >>> > >>> > >> Another way would be to omit the addition of the posixGroup on your > >> account objects, and just modify the filter on nss_base_group to include > >> posixAccounts. > >> e.g.: > >> nss_base_group > >> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) > >> > >> posixAccount already includes the gidNumber and cn attributes, which is > >> all you're really after here... unless you want to start adding > >> memberUid attributes to your account objects (which doesn't make any > >> obvious sense). > >> > >> You will almost certainly have to modify your nss_base_group setting in > >> either case, as Jonathan suggested. > >> > >> > > <snip> > > Alas, I'm not sure this is going to work as expected but it could be my > > ignorance. I've read the man page and whatever documentation I could > > find. It appears it does an & operation with the additional filter > > whereas I need an |. > > > > I gather the default is: > > &(objectClass=posixgroup)(cn=group_name) > > > > I think I need it to be: > > |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > > > If it does an &, I think I get: > > &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > > > Nevertheless, I tried all of the following without success: > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) > > > Invalid filter - the "|" character does not belong there. > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name)) > > this broke the posixgroup filter, too! > > > Also invalid - "|" character > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name) > > this broke the posixgroup filter, too! > > > Invalid filter - a filter must begin with ( and end with ) - so > (&(objectClass=posixAccount)(uid=group_name)) > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) > > this broke the posixgroup filter, too! > > > Invalid filter - (&(objectClass=posixAccount)(uid=group_name)) > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) > > this broke the posixgroup filter, too! > > > Not sure what's wrong with this one - looks ok > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount) > > > Invalid filter - should just be (objectClass=posixAccount) > > I did flush the nscd group database between each try. What am I doing > > wrong? Thanks - John > > > It looks as though nss_base_group uses LDAP URL syntax - see > http://www.ietf.org/rfc/rfc2255.txt for more information about LDAP > URLs, and http://www.ietf.org/rfc/rfc2254.txt for information about LDAP > filters <snip> Thanks very much. The reason I did not have the initial and ending () is it appears nss puts them there itself when it does the &. At least, that's the way it looked in the access log. How does one pass the values to the ldap query, i.e., what the sought cn or gidnumber is? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
