Rich Megginson wrote:
> Igor wrote:
>
> >Hi, all. This is probably a dumb question but how do
> >I add a group? Simply adding a group thru the UI
> >doesn't allow one to specify a GID. I tried adding an
> >object type "OTHER" and selecting posixGroup. That
> >seemed to have worked, is that how this is to be done?
> >
> >
> Yes.
>
> > Because under company name aci, it shows up with gid
> >number, NOT the group name which is kind of ugly.
> >
> >
> Right. A console "group" is a groupOfUniqueNames. A posixGroup is a
> unix /etc/groups replacement group.
One cool thing I've noticed while working on research for Red Hat's
RH423 class: it turns out that Red Hat Directory Server allows you
to assign an entry both the groupOfUniqueNames and posixGroup object
classes at the same time!
Strictly speaking this is a schema violation, since they are
unrelated structural classes, but Directory Server does not enforce
the rule that there can only be one structural class chain on an
entry. Now, the interesting thing is that it's been proposed
(in the expired Internet-Draft draft-howard-rfc2307bis-00.txt)
that posixGroup be changed to an auxiliary class so that it and
groupOfUniqueNames can be used together to make this legal. It
was further proposed that group members can be stored not just as
login names (in memberUid attributes from posixGroup), but ALSO
as DNs of posixAccount entries (in uniqueMember attributes from
groupOfUniqueNames).
It turns out that the author of the proposal is the developer of
the nss_ldap package used by Red Hat Enterprise Linux, so nss_ldap
already supports this. This means that if there is a directory
entry uid=testuser,ou=people,dc=example,dc=com that's a valid
posixAccount user, you can define a static group entry with LDIF
like the following:
dn: cn=unixgroup,ou=groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
objectclass: posixGroup
cn: unixgroup
gidNumber: 1701
uniqueMember: uid=testuser,ou=people,dc=example,dc=com
use system-config-authentication to set up a RHEL client to use
nss_ldap to look up user information from the directory, and get this:
[root@example ~]# getent group unixgroup
unixgroup:x:1701:testuser
-- Steve Bonneville