Hi! I have a question related to Linux authentication and authorization against 389 DS. Hope someone out there has experience about connecting Linux Server to 389 DS. What I have done is creating posixAccounts, default account groups and several groups used for admin rights. First I tried using uniqueMember=<dn> as member reference attribute on each posix group. It only works with less than 600 users and isn't ideal as nss_ldap seems to treat the attribute uniqueMember as an account _or_ a group and runs additional queries on each uniqueMember found within the group. Instead I have tested to use memberUid=<uid>. Works much better! No additional queries. But... I would prefer using full DN as reference within the directory. Now over to my questions: Has anyone successfully used uniqueMember as member attribute for linux authentication? With several thousands of users ? Are there any documented "best practices" to setup linux authentication and authorization against 389? I may have missed them on Google :) ? Anyone with experience... I need all feedback I can get right now and are looking for a long-term working solution. Best Regards - Andreas Examples of my idea of using posixGroups (that doesn't do the the additional queries using memberUid): # Account: dn: uid=aandersson,ou=People,dc=domain,dc=com objectClass: top objectClass: organizationalPerson objectClass: person objectClass: posixaccount gidNumber: 1000 homeDirectory: /home/aandersson uidNumber: 1000 gecos: Andreas Andersson loginShell: /bin/bash givenName: Andreas uid: aandersson cn: Andreas Andersson sn: Andersson Default Group: #dn: cn=aandersson,ou=Groups,dc=domain,dc=com objectClass: posixGroup objectClass: top gidNumber: 1000 cn: aandersson description: Default group for 'aandersson' Member Group: #dn: cn=adminmembers,ou=Groups,dc=domain,dc=com memberUid: aandersson memberUid: jdoe memberUid: jsmith gidNumber: 1002 description: Linux Administrators objectClass: top objectClass: posixGroup cn: adminmembers
