John A. Sullivan III wrote:
On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote:Jonathan Barber wrote:Another way would be to omit the addition of the posixGroup on your account objects, and just modify the filter on nss_base_group to include posixAccounts.On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:John A. Sullivan III wrote:John A. Sullivan III wrote:[snip]<snip> Thanks for the very thoughtful answer. I'm not only new to LDAP but also to Linux based file servers. I've been in a management role for the last decade and before then was doing NDS and NetWare for directory/file. We were planning to use a umask of 007 for standard users and set the sgid bit for shared folders. That's where we thought it would be helpful to have a group associated with each user. In fact, it finally made the default setup of creating a group for each user make sense as I always wondered why that was done. I suppose we'll also need to activate file system acls for more complex setups as when multiple groups need varying access to a shared file system directory.This arrangement is known (at least by Redhat) as User Private Groups (UPG): http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html The primary reason for doing it is that group access to files is managed via secondary group membership, not primary group membership If each of your users has their own group, then adding a posixGroup objectclass to each user makes perfect sense. You may also want to place an uniqueness constraint on the gidNumber attribute as well: http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in WRT to linux, the only gotcha I can think of is that you'll have to set the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's the common parent to both your users and groups - otherwise it'll never find the UPG's.e.g.:nss_base_group dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount))posixAccount already includes the gidNumber and cn attributes, which is all you're really after here... unless you want to start adding memberUid attributes to your account objects (which doesn't make any obvious sense).You will almost certainly have to modify your nss_base_group setting in either case, as Jonathan suggested.<snip> That's what I had first attempted to do but I do not see where to set that filter. I didn't see anything in ldap.conf or nsswitch.conf. Where is it set? Thanks - John
/etc/ldap.conf - do man nss_ldap - look for this:
nss_base_<map> <basedn?scope?filter>
Specify the search base, scope and filter to be used
for spe-
cific maps. (Note that map forms part of the
configuration file
...
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
