[Fedora-directory-users] posixgroup name lookups

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Nov 19 20:32:28 UTC 2008 

On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
> John A. Sullivan III wrote:
> >> John A. Sullivan III wrote:
> >>     
> >>> Hello, all.  We're trying to move all our user access control to DS
> >>> including file system rights management and thus group management.
> >>> We've hit a few problems and would like to share how we've gotten around
> >>> them both for documentation and so someone with more experience can tell
> >>> us if we are going about this the wrong way.
> >>>
> >>> The first problem we hit was the various hosts could not resolve the
> >>> gidnumber to a name:
> >>> -sh-3.2$ id -gn
> >>> id: cannot find name for group ID 2000
> >>> 2000
> >>>
> >>> We noticed in the access query that the hosts were looking for
> >>> posixgroups:
> >>> SRCH base="dc=ssiservices,dc=biz" scope=2
> >>> filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn
> >>> userPassword memberUid uniqueMember gidNumber"
> >>>
> >>> The problem comes with user's initial groups which are typically named
> >>> after the uid.  Since we had not created these explicitly as DS groups
> >>> but rather simply assigned the gidnumber in the posixaccount's gidnumber
> >>> attribute, there was no posixgroup to seek.
> >>>
> >>> I suppose the ideal way to address this is the change the query to look
> >>> for a posixgroup or a posixaccount.  I do not see how one does this.
> >>> Instead, we added posixgroup as an objectclass to the users.  Is this a
> >>> reasonable way to go about this?
> >>>
> >>> Then we hit our next problem.  The user's initial group is usually the
> >>> same as their uid, e.g., user bsmith belongs to group bsmith. However,
> >>> the query is looking for cn rather than uid.  I suppose this is because
> >>> a posixgroup, as opposed to a user, does not have a uid but does have a
> >>> cn.  This turned up as a problem where we wanted to control the umask in
> >>> bashrc which uses logic such as:
> >>> if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
> >>>         umask 002
> >>> id -un would return bsmith but id -gn would return something like Brian
> >>> Smith.
> >>>
> >>> Thus, we will need to make it a user creation procedure to override the
> >>> cn to be the same as the uid rather than FirstName LastName.  Is this
> >>> the correct approach? Thanks - John
> >>>   
> >>>       
> > On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote:
> >   
> >>> -sh-3.2$ id -gn
> >>> id: cannot find name for group ID 2000
> >>> 2000
> >>>       
> >> ...
> >>     
> >>> Instead, we added posixgroup as an objectclass to the users.  Is this a
> >>> reasonable way to go about this?
> >>>       
> >> Not really...
> >> id is asking your name service "what is the group name for gid 2000".
> >> You have no groups defined in your name service with that gid.
> >> The most common way to address this is to add a posixGroup object in 
> >> your LDAP directory with gid 2000, and whatever name (cn) you like.
> >> I would suggest doing this for each account's primary gid.
> >>     
> > <snip>
> >
> > Thanks for the reply. Perhaps this is a better approach but I have some
> > reservations (which may be more my ignorance than a real problem).  If I
> > do this, I have the separate step of maintaining posixgroups for each
> > user in a separate entity.  Not only must I create two instead of one
> > (times however many thousands of users I have) but I must keep them in
> > sync (user delete, user rename).
> >
> > By adding a posixgroup objectclass to my users, I solve those problems
> > and still give my name service a way to resolve the group name.  It
> > seems much simpler to manage but I'm just not sure if this does
> > something "bad".  Am I missing something? Thanks - John
> >   
> 
> Most (if not all) LDAP client software that accesses posix attributes 
> will not expect this arrangement.
> Most sysadmins or developers that might work with your directory 
> probably would also not expect this.
> Those are the biggest drawbacks that come immediately to mind.
> But depending on your usage, might never be a serious problem.
> 
> This is a good time to ask yourself:
> Do you really need a corresponding groupname / gid for every username / 
> uid in your name service?
> 
> The answer might certainly be "yes".
> But since you're spending time to accommodate this, could be helpful to 
> be sure you have reasons beyond rote tradition.
> 
<snip>
Thanks for the very thoughtful answer.  I'm not only new to LDAP but
also to Linux based file servers.  I've been in a management role for
the last decade and before then was doing NDS and NetWare for
directory/file.

We were planning to use a umask of 007 for standard users and set the
sgid bit for shared folders.  That's where we thought it would be
helpful to have a group associated with each user.  In fact, it finally
made the default setup of creating a group for each user make sense as I
always wondered why that was done.  I suppose we'll also need to
activate file system acls for more complex setups as when multiple
groups need varying access to a shared file system directory.

If that's a silly approach, kindly let me know and point me to some good
documentation on the subject.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the Fedora-directory-users mailing list