Hi,
I created a dit on a Centos 6.5 box that looks something like this:
........dc=name,dc=com................................ | | | | | | ou=users ou=systems........... ou=policies | | | | | | | | user1 cn=group1 cn=group2 cn=ppolicy user2 | | user3 | | | | user1 user2 user2 user3
I created my users, and I added sever "linux groups" using the ldif file:
dn: cn=dev,ou=systems,dc=ehs,dc=edu cn: dev gidNumber: 4005 objectClass: posixGroup
My goal was to simulate an entry that you'd find in the /etc/group file on a linux system. So if I added people to this group using the ldif file:
dn: cn=dev,ou=systems,dc=ehs,dc=edu changetype: modify add: memberuid memberuid: user1 memberuid: user2
So while user1 and user2 are in the default group "users", I wanted them to be able to change the group on their files to "dev" in order to protect their development files.
Now, this seemed to work, and when I went on my client and did a command "groups user1", I saw "users" and "dev"
However yesterday I added another group called "team0" with gid 22222 using the following ldif file:
dn: cn=team0,ou=systems,dc=ehs,dc=edu cn: team0 gidNumber: 22222 objectClass: posixGroup
When I was logged into my client machine (Centos 5.5 box) and did a groups on an old user, it showed "users", "dev" and now "team0" although I never added that user to the new group.
I cleaned the client cache using the nscd -i invalidate=group command, and then I removed all the cached directories in /var/db/nscd, and rebooted, but that new group seems to have been applied to everyone.
I might have screwed up the creation of my DIT, but I was thinking that things were working ok since I could added "unix groups" that are visible with the "getent group" command on a client, I could add users into these groups and changed the group of files to lock out some users, but I don't understand this behavior now.
I have about 6 groups defined and the last one I created yesterday is the only one that seems to get applied to all users.
I'd appreciate any help you could give.... I'm scratching my head on this one.
Thanks.