Michael Ströder wrote:
Brendan Kearney wrote:
As a caveat to my ACLs, most of my groups are the posixGroup class. from what i understand, that means i need to use set ACLs, instead of group ACLs.
I guess you're talking about RFC2307 vs. RFC2307bis posixGroup definition.
In my searching, i have found an explicit reason to keep using the posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups. the dependency is because of the use of memberUid attributes.
Well, so I'll keep my custom hybrid group schema for now:
objectclass ( some-custom-oid-here NAME 'hybridPosixGroup' DESC 'Group for mixed group schema RFC 2307 and RFC 2307bis' STRUCTURAL SUP ( groupOfNames $ posixGroup ) )
The caveat is that you have to synchronously maintain attributes 'member' and 'memberUID'. In my deployments web2ldap does that for me.
There is no reason to maintain both. pam_ldap/nss_ldap both support RFC2307bis natively, as do nssov and nss-pam-ldapd.