[Fedora-directory-users] posixgroup name lookups

[John A. Sullivan III]

> John A. Sullivan III wrote:
> > Hello, all.  We're trying to move all our user access control to DS
> > including file system rights management and thus group management.
> > We've hit a few problems and would like to share how we've gotten around
> > them both for documentation and so someone with more experience can tell
> > us if we are going about this the wrong way.
> >
> > The first problem we hit was the various hosts could not resolve the
> > gidnumber to a name:
> > -sh-3.2$ id -gn
> > id: cannot find name for group ID 2000
> > 2000
> >
> > We noticed in the access query that the hosts were looking for
> > posixgroups:
> > SRCH base="dc=ssiservices,dc=biz" scope=2
> > filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn
> > userPassword memberUid uniqueMember gidNumber"
> >
> > The problem comes with user's initial groups which are typically named
> > after the uid.  Since we had not created these explicitly as DS groups
> > but rather simply assigned the gidnumber in the posixaccount's gidnumber
> > attribute, there was no posixgroup to seek.
> >
> > I suppose the ideal way to address this is the change the query to look
> > for a posixgroup or a posixaccount.  I do not see how one does this.
> > Instead, we added posixgroup as an objectclass to the users.  Is this a
> > reasonable way to go about this?
> >
> > Then we hit our next problem.  The user's initial group is usually the
> > same as their uid, e.g., user bsmith belongs to group bsmith. However,
> > the query is looking for cn rather than uid.  I suppose this is because
> > a posixgroup, as opposed to a user, does not have a uid but does have a
> > cn.  This turned up as a problem where we wanted to control the umask in
> > bashrc which uses logic such as:
> > if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
> >         umask 002
> > id -un would return bsmith but id -gn would return something like Brian
> > Smith.
> >
> > Thus, we will need to make it a user creation procedure to override the
> > cn to be the same as the uid rather than FirstName LastName.  Is this
> > the correct approach? Thanks - John
> >   
> 
On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote:
> >
> > -sh-3.2$ id -gn
> > id: cannot find name for group ID 2000
> > 2000
> ...
> > Instead, we added posixgroup as an objectclass to the users.  Is this a
> > reasonable way to go about this?
> 
> Not really...
> id is asking your name service "what is the group name for gid 2000".
> You have no groups defined in your name service with that gid.
> The most common way to address this is to add a posixGroup object in 
> your LDAP directory with gid 2000, and whatever name (cn) you like.
> I would suggest doing this for each account's primary gid.
<snip>

Thanks for the reply. Perhaps this is a better approach but I have some
reservations (which may be more my ignorance than a real problem).  If I
do this, I have the separate step of maintaining posixgroups for each
user in a separate entity.  Not only must I create two instead of one
(times however many thousands of users I have) but I must keep them in
sync (user delete, user rename).

By adding a posixgroup objectclass to my users, I solve those problems
and still give my name service a way to resolve the group name.  It
seems much simpler to manage but I'm just not sure if this does
something "bad".  Am I missing something? Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society