[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gids assigned non-deterministically

On Mon, Oct 09, 2006 at 02:39:07PM -0500, Peter Samuelson wrote:
> [Roberto C. Sanchez]
> > That is a problem if I want to server everything up out of LDAP.
> > There really should be a "reserved" range, maybe 100-499 of Debian
> > gids, where they are assigned in a predertmined way.
> I don't think it's a good idea to put system users and groups into LDAP
> anyway.  They are specific to a system.  There is nothing wrong with
> having regular users and groups in LDAP and system users and groups in
> /etc/passwd.  This is, in fact, probably the common case.

I do want the system groups in /etc/group.  However, I would like to
"override" or supplement the group membership with information out of
LDAP.  For example, in /etc/group:


And then in LDAP, have a group cn=camera,ou=Group,dc=example,dc=org with
bar as a member.  Assuming that foo is a local user account on the
system in question and bar is in the directory, that should work out.  I
have already tested that and the system sees bar as a member of camera
if he logs in.  However, the real speed bump in this is that the gids
are assigned based on what order the packages are installed.  So, camera
has gid 120 on one system and 104 on the other.  I don't imagine that it
is generall a problem,  However, if any files are on shared storage and
end up bearing the gid of any of these groups where the gids are not
uniform across systems, then the user may or may not have access to them
based on which machines he is using at the moment.  All I am saying, is
that there should be some sort of uniformity to it.



Roberto C. Sanchez

Attachment: signature.asc
Description: Digital signature

Reply to: