[Fedora-directory-users] posixgroup name lookups

Jonathan Barber j.barber at dundee.ac.uk
Thu Nov 20 08:38:59 UTC 2008


On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:
> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
> > John A. Sullivan III wrote:
> > >> John A. Sullivan III wrote:

[snip]

> <snip>
> Thanks for the very thoughtful answer.  I'm not only new to LDAP but
> also to Linux based file servers.  I've been in a management role for
> the last decade and before then was doing NDS and NetWare for
> directory/file.
> 
> We were planning to use a umask of 007 for standard users and set the
> sgid bit for shared folders.  That's where we thought it would be
> helpful to have a group associated with each user.  In fact, it finally
> made the default setup of creating a group for each user make sense as I
> always wondered why that was done.  I suppose we'll also need to
> activate file system acls for more complex setups as when multiple
> groups need varying access to a shared file system directory.

This arrangement is known (at least by Redhat) as User Private Groups
(UPG):
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html

The primary reason for doing it is that group access to files is managed
via secondary group membership, not primary group membership

If each of your users has their own group, then adding a posixGroup
objectclass to each user makes perfect sense. You may also want to place
an uniqueness constraint on the gidNumber attribute as well:
http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in

WRT to linux, the only gotcha I can think of is that you'll have to set
the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's
the common parent to both your users and groups - otherwise it'll never
find the UPG's.

> If that's a silly approach, kindly let me know and point me to some good
> documentation on the subject.  Thanks - John
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
> 
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389




More information about the Fedora-directory-users mailing list