nss + pam + samba + ldap + rfc2307bis
Hello,
I'm planning on restructuring our authentication services. Currently
they're a simple LDAP setup with posixgroups which afaik makes dynamic
groups impossible (correct me if i'm wrong, _please_ tell me how to do
that).
Googling around I found rfc2307biz, which makes in contrast to rfc2307
posixGroup an auxiliary group so that one could use groupOfNames to
build groups.
For those not knowing what this is about:
Using posixgroup you define group members with the memberUID (the loginname)
imho a better approach (but the rfc is deleted by the ietf, anybody
knows why?) to use the DN of a ldap object. This is very well possible
with groupOfNames but groupOfNames is missing the gidNumber attribute,
which is needed by libnss-ldap, and samba.
The quirk in debian imho now is that samba doesn't support rfc2307bis
schema and schema-mapping - it's simply compiled without it. wihle
libpam-ldap and libnss-ldap do support this schema.
Any way to get around that using groupOfNames (so that i can add one
group to another group and sleep well cause pam, nss and samba will
know how to deal with it). Or any other means, groupOfNames would be
quite comfortable cause intermediate tools could always check for the
existance of a ldap object with the given DN and thus check for
validility?
regards
martin
PS: if you know where it is better to better ask this question please
point me to it, imho that is very debian specific because it
specifically deals with the standard packages available in etch.
Reply to: