John A. Sullivan III wrote:
On Fri, 2008-11-21 at 09:10 -0700, Rich Megginson wrote:
> John A. Sullivan III wrote:
>
>> On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote:
>>
>>
>>> Jonathan Barber wrote:
>>>
>>>
>>>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:
>>>>
>>>>
>>>>
>>>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
>>>>>
>>>>>
>>>>>
>>>>>> John A. Sullivan III wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> John A. Sullivan III wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>> [snip]
>>>>
>>>>
>>>>
>>>>
>>>>> <snip>
>>>>> Thanks for the very thoughtful answer. I'm not only new to LDAP
but
>>>>> also to Linux based file servers. I've been in a management role
for
>>>>> the last decade and before then was doing NDS and NetWare for
>>>>> directory/file.
>>>>>
>>>>> We were planning to use a umask of 007 for standard users and set
the
>>>>> sgid bit for shared folders. That's where we thought it would
be
>>>>> helpful to have a group associated with each user. In fact, it
finally
>>>>> made the default setup of creating a group for each user make sense
as I
>>>>> always wondered why that was done. I suppose we'll also need to
>>>>> activate file system acls for more complex setups as when multiple
>>>>> groups need varying access to a shared file system directory.
>>>>>
>>>>>
>>>>>
>>>> This arrangement is known (at least by Redhat) as User Private Groups
>>>> (UPG):
>>>>
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-user...
>>>>
>>>> The primary reason for doing it is that group access to files is managed
>>>> via secondary group membership, not primary group membership
>>>>
>>>> If each of your users has their own group, then adding a posixGroup
>>>> objectclass to each user makes perfect sense. You may also want to place
>>>> an uniqueness constraint on the gidNumber attribute as well:
>>>>
http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_P...
>>>>
>>>> WRT to linux, the only gotcha I can think of is that you'll have to
set
>>>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry
that's
>>>> the common parent to both your users and groups - otherwise it'll
never
>>>> find the UPG's.
>>>>
>>>>
>>>>
>>>>
>>> Another way would be to omit the addition of the posixGroup on your
>>> account objects, and just modify the filter on nss_base_group to include
>>> posixAccounts.
>>> e.g.:
>>> nss_base_group
>>> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount))
>>>
>>> posixAccount already includes the gidNumber and cn attributes, which is
>>> all you're really after here... unless you want to start adding
>>> memberUid attributes to your account objects (which doesn't make any
>>> obvious sense).
>>>
>>> You will almost certainly have to modify your nss_base_group setting in
>>> either case, as Jonathan suggested.
>>>
>>>
>>>
>> <snip>
>> Alas, I'm not sure this is going to work as expected but it could be my
>> ignorance. I've read the man page and whatever documentation I could
>> find. It appears it does an & operation with the additional filter
>> whereas I need an |.
>>
>> I gather the default is:
>> &(objectClass=posixgroup)(cn=group_name)
>>
>> I think I need it to be:
>>
|((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name)))
>>
>> If it does an &, I think I get:
>>
&((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name)))
>>
>> Nevertheless, I tried all of the following without success:
>>
>> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount)
>>
>>
> Invalid filter - the "|" character does not belong there.
>
>> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name))
>> this broke the posixgroup filter, too!
>>
>>
> Also invalid - "|" character
>
>> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name)
>> this broke the posixgroup filter, too!
>>
>>
> Invalid filter - a filter must begin with ( and end with ) - so
> (&(objectClass=posixAccount)(uid=group_name))
>
>> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name)
>> this broke the posixgroup filter, too!
>>
>>
> Invalid filter - (&(objectClass=posixAccount)(uid=group_name))
>
>> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)
>> this broke the posixgroup filter, too!
>>
>>
> Not sure what's wrong with this one - looks ok
>
>> nss_base_group
dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)
>>
>>
> Invalid filter - should just be (objectClass=posixAccount)
>
>> I did flush the nscd group database between each try. What am I doing
>> wrong? Thanks - John
>>
>>
> It looks as though nss_base_group uses LDAP URL syntax - see
>
http://www.ietf.org/rfc/rfc2255.txt for more information about LDAP
> URLs, and
http://www.ietf.org/rfc/rfc2254.txt for information about LDAP
> filters
>
<snip>
Thanks very much. The reason I did not have the initial and ending ()
is it appears nss puts them there itself when it does the &. At least,
that's the way it looked in the access log.
How does one pass the values to the ldap query, i.e., what the sought
cn
or gidnumber is? - John
I suppose getent/nss_ldap does that automatically - check the access log
on the directory server.