[K12OSN] smbldap - adding ldap users to local groups

Thu Oct 25 03:21:59 UTC 2007

On Wed, 24 Oct 2007 20:25:27 -0400, Rob Owens wrote
> Well, being new to LDAP I guess I'm having trouble deciding where to draw the 
> line between using local groups and using LDAP groups. 

I have not yet ran into a situation where I am serving "users" on multiple operating
systems.  I see where this could be a big problem.  I have drawn the line on system
groups that are not added to a regular user by default, and with users that are
system/application dependent.  And I order lookup by local files first then LDAP.  This
has allowed me to have users for my LTSP Edubuntu server use the same LDAP base as users
on my Fedora based mail server.  But if I ran into the situation where I had some Fedora
based LTSP servers and some Edubuntu based LTSP servers, along with stand alone machines
with other operating system, eventually I would run into a problem with mismatched
default group id's for new standard users.  Not sure what a good solution would be in
that situation.

I did try adding ldap groups by default to local groups, but I could not get things to
work. Given that default system GIDs and group names could vary between operating
systems, you'd almost have to have a service that could translate based on operating
system.  I imagine this is possible, but wouldn't be an easy task, and probably a
nightmare to maintain.

I would think the best option is to have a central LDAP that has the default user groups
of your most common os that users run a desktop from.  Then add those default groups to
new users.  Then try and keep all user desktops and LTSP machines running on the same
flavor.  This should give you central auth for most everything.  Stay away from putting
default system accounts or application specific accounts/groups on the LDAP.  After all
those users probably wouldn't be secure in a central location anyhow and you probably
want different passwords and such for every server running mysql or apache, etc.  Keep
those all as local accounts and check local files before looking at LDAP.  

After all most other servers such as mail or web won't have users logging in locally so
they won't need the extra groups and users anyhow.  If you need to auth another OS that
has differences in the standard user groups, you would then have to modify the system
groups to match that in your LDAP server on install.  One could maybe even create a
script to verify compliance with the central scheme and modify accordingly.  

Just some thoughts,
Jim

-- 
This message has been scanned for viruses and
dangerous content by the Cotter Technology 
Department, and is believed to be clean.