John Smith wrote:
Hi All, I'm in the process of designing a plan to move a lot of debian workstations (all with local users configured) to a ldap managed en-vironment and have some choices to make, some easy, some tough. Here one of the last category:In order to keep the users using applications they derive from their current local group memberships, I intend to recreate the local groups (luckily all according to the default Debian installer policy and uniquely identified by the same gid over all workstations) in the ldap tree.Should I create each and every group (audio with gid=29 for example) in the ldap tree with the same group id as locally defined?Will those two groups colide and if so, what is the best way to solve this collision? Sincerely, Jan.
Moving it all to LDAP is exactly what I did, but the approach has a few problems. Basically, whilst it works just fine, any updates to the base packages will be applied to the local files, not the ldap directory. That means watching for updates and manually updating the ldap tree. Not a biggie, but still a pain. In order to reduce the potential for conflicts, I also disabled most of the local groups. Unfortunately, updates also re-enable these too.
It would be nice to have the base packages call scripts for adding/removing the base users and groups that could be pointed at scripts or something similar that could be made to service LDAP, but that's not the way it currently works and I haven't the faintest idea how to go about actually making it, nor in fact, the time to do so either.
Good luck, it does work well in the end. - Jamie
Attachment:
signature.asc
Description: OpenPGP digital signature