John A. Sullivan III wrote:
> On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote:
>
>> Jonathan Barber wrote:
>>
>>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:
>>>
>>>
>>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
>>>>
>>>>
>>>>> John A. Sullivan III wrote:
>>>>>
>>>>>
>>>>>>> John A. Sullivan III wrote:
>>>>>>>
>>>>>>>
>>> [snip]
>>>
>>>
>>>
>>>> <snip>
>>>> Thanks for the very thoughtful answer. I'm not only new to LDAP
but
>>>> also to Linux based file servers. I've been in a management role
for
>>>> the last decade and before then was doing NDS and NetWare for
>>>> directory/file.
>>>>
>>>> We were planning to use a umask of 007 for standard users and set the
>>>> sgid bit for shared folders. That's where we thought it would be
>>>> helpful to have a group associated with each user. In fact, it finally
>>>> made the default setup of creating a group for each user make sense as
I
>>>> always wondered why that was done. I suppose we'll also need to
>>>> activate file system acls for more complex setups as when multiple
>>>> groups need varying access to a shared file system directory.
>>>>
>>>>
>>> This arrangement is known (at least by Redhat) as User Private Groups
>>> (UPG):
>>>
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-user...
>>>
>>> The primary reason for doing it is that group access to files is managed
>>> via secondary group membership, not primary group membership
>>>
>>> If each of your users has their own group, then adding a posixGroup
>>> objectclass to each user makes perfect sense. You may also want to place
>>> an uniqueness constraint on the gidNumber attribute as well:
>>>
http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_P...
>>>
>>> WRT to linux, the only gotcha I can think of is that you'll have to set
>>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's
>>> the common parent to both your users and groups - otherwise it'll never
>>> find the UPG's.
>>>
>>>
>>>
>> Another way would be to omit the addition of the posixGroup on your
>> account objects, and just modify the filter on nss_base_group to include
>> posixAccounts.
>> e.g.:
>> nss_base_group
>> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount))
>>
>> posixAccount already includes the gidNumber and cn attributes, which is
>> all you're really after here... unless you want to start adding
>> memberUid attributes to your account objects (which doesn't make any
>> obvious sense).
>>
>> You will almost certainly have to modify your nss_base_group setting in
>> either case, as Jonathan suggested.
>>
>>
> <snip>
> Alas, I'm not sure this is going to work as expected but it could be my
> ignorance. I've read the man page and whatever documentation I could
> find. It appears it does an & operation with the additional filter
> whereas I need an |.
>
> I gather the default is:
> &(objectClass=posixgroup)(cn=group_name)
>
> I think I need it to be:
>
|((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name)))
>
> If it does an &, I think I get:
>
&((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name)))
>
> Nevertheless, I tried all of the following without success:
>
> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount)
>
> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name))
> this broke the posixgroup filter, too!
>
> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name)
> this broke the posixgroup filter, too!
>
> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name)
> this broke the posixgroup filter, too!
>
> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)
> this broke the posixgroup filter, too!
>
> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)
>
> I did flush the nscd group database between each try. What am I doing
> wrong? Thanks - John
>
It's not immediately obvious to me where the problem is.
But, have you tried reviewing your LDAP server's access log?
That's often a huge help for troubleshooting this kind of thing.
<snip>
Thanks. I do see what it is doing but I'm still not sure how to
configure the nss_base_group for two reasons which I'll state in a
second. Here is a query when I do an ls -l on a directory so it needs
to resolve the gidnumber to a group name:
filter="(&(objectClass=posixGroup)(gidNumber=103000)(|(&(objectClass=posixAccount)(gidNumber=group_number))))"
This is what happens if I try to do a chgrp and it thus needs to resolve
a name to a number:
filter="(&(objectClass=posixGroup)(cn=barry.knowles)(|(&(objectClass=posixAccount))))"
The first question is where to find the variables which are replaced by
the actual values. You can see I guessed at group_number in the first
case and was wrong. How do I build a filter which will substitute
103000 when I am seeking that particular gidnumber?
The second question is the sought attribute seems to vary depending on
the function. How do I create the filter to search on gidnumber in the
first case and cn in the second?
Sorry if I'm being dense. I'm quite new to all this - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com