On Mon, Oct 09, 2006 at 02:39:07PM -0500, Peter Samuelson wrote: > > [Roberto C. Sanchez] > > That is a problem if I want to server everything up out of LDAP. > > There really should be a "reserved" range, maybe 100-499 of Debian > > gids, where they are assigned in a predertmined way. > > I don't think it's a good idea to put system users and groups into LDAP > anyway. They are specific to a system. There is nothing wrong with > having regular users and groups in LDAP and system users and groups in > /etc/passwd. This is, in fact, probably the common case.
I do want the system groups in /etc/group. However, I would like to "override" or supplement the group membership with information out of LDAP. For example, in /etc/group: camera:x:120:foo And then in LDAP, have a group cn=camera,ou=Group,dc=example,dc=org with bar as a member. Assuming that foo is a local user account on the system in question and bar is in the directory, that should work out. I have already tested that and the system sees bar as a member of camera if he logs in. However, the real speed bump in this is that the gids are assigned based on what order the packages are installed. So, camera has gid 120 on one system and 104 on the other. I don't imagine that it is generall a problem, However, if any files are on shared storage and end up bearing the gid of any of these groups where the gids are not uniform across systems, then the user may or may not have access to them based on which machines he is using at the moment. All I am saying, is that there should be some sort of uniformity to it. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
