John A. Sullivan III wrote:
On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote:
> Jonathan Barber wrote:
>
>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:
>>
>>
>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
>>>
>>>
>>>> John A. Sullivan III wrote:
>>>>
>>>>
>>>>>> John A. Sullivan III wrote:
>>>>>>
>>>>>>
>> [snip]
>>
>>
>>
>>> <snip>
>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but
>>> also to Linux based file servers. I've been in a management role for
>>> the last decade and before then was doing NDS and NetWare for
>>> directory/file.
>>>
>>> We were planning to use a umask of 007 for standard users and set the
>>> sgid bit for shared folders. That's where we thought it would be
>>> helpful to have a group associated with each user. In fact, it finally
>>> made the default setup of creating a group for each user make sense as I
>>> always wondered why that was done. I suppose we'll also need to
>>> activate file system acls for more complex setups as when multiple
>>> groups need varying access to a shared file system directory.
>>>
>>>
>> This arrangement is known (at least by Redhat) as User Private Groups
>> (UPG):
>>
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-user...
>>
>> The primary reason for doing it is that group access to files is managed
>> via secondary group membership, not primary group membership
>>
>> If each of your users has their own group, then adding a posixGroup
>> objectclass to each user makes perfect sense. You may also want to place
>> an uniqueness constraint on the gidNumber attribute as well:
>>
http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_P...
>>
>> WRT to linux, the only gotcha I can think of is that you'll have to set
>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's
>> the common parent to both your users and groups - otherwise it'll never
>> find the UPG's.
>>
>>
>>
> Another way would be to omit the addition of the posixGroup on your
> account objects, and just modify the filter on nss_base_group to include
> posixAccounts.
> e.g.:
> nss_base_group
> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount))
>
> posixAccount already includes the gidNumber and cn attributes, which is
> all you're really after here... unless you want to start adding
> memberUid attributes to your account objects (which doesn't make any
> obvious sense).
>
> You will almost certainly have to modify your nss_base_group setting in
> either case, as Jonathan suggested.
>
>
<snip>
That's what I had first attempted to do but I do not see where to set
that filter. I didn't see anything in ldap.conf or nsswitch.conf.
Where is it set? Thanks - John
/etc/ldap.conf - do man nss_ldap - look for this:
nss_base_<map> <basedn?scope?filter>
Specify the search base, scope and filter to be used
for spe-
cific maps. (Note that map forms part of the
configuration file
...