On Fri, May 22, 2009 at 5:16 PM, Dumbo Q <dumboq@xxxxxxxxx> wrote: > Thank you for the quick reply. > I also have a question about the posix groups. > To create a user in ds, the idm-console has a form which is quite easy. I > can also use this to create "Groups", but they are not unix groups. I assume > these are simply to keep organized all the users. > > To add a unix group i have to create->new->other, and choose posix group. > Then i manually pick the gidnumber. It does not seem to matter where i > place this posix group. My first thought is that it is going to get very > messy trying to keep track of each users posixgroup. > secondly, does this seem like a good plan for authentication structure > below. > > UnixGroups > \- all posix groups here. > People > \- Vendors > \- CompanyA > \- CompanyB > \- Staff > \- Accounting > \- SysAd > \- Development > \- YadaYada. > > But then how would i say users in companyb can only login to some hosts? > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I use 'pam groupdn' /etc/ldap.conf pam_groupdn cn=hadoop,ou=hosts,dc=yourdomain,dc=com This allows you to create an object with a list of users dn's that can log in. You can also use netgroups but this way is clean and has very little configuration. You can also set a login group in sshd_config. But then each of your machines will have a different sshd_config. -Regards Edward -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
