list members,
As a caveat to my ACLs, most of my groups are the posixGroup class. from what i understand, that means i need to use set ACLs, instead of group ACLs. this does not seem to be a big deal, and is covered in the admin guide. that being said, i am looking to find out what the functional differences between a posixGroup and groupOfNames are? are there significant reasons to use one over the other? in my environment, i have the ability to recreate all the posixGroup objects as groupOfNames objects, if it would help with the creation of ACLs and other work to be done. is that a worthwhile effort?
In my searching, i have found an explicit reason to keep using the posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups. the dependency is because of the use of memberUid attributes. would there be any other explicit reasons to use one group type over another?
my users have inetOrgPerson as their structural class, and as such i cannot add the NFSv4RemotePerson class to their list of objectClass attributes. the NFSv4RemotePerson class is structural as well. i have heard about the ability to create a hierarchy of objectClass objects so that an object can inherit the properties of all the SUP classes. is there a way i can create this hierarchy to allow multiple structural class attributes to be inherited by user objects? i have not found much info around doing this. are there any pointers?
thanks in advance,
brendan
Brendan Kearney wrote:
As a caveat to my ACLs, most of my groups are the posixGroup class. from what i understand, that means i need to use set ACLs, instead of group ACLs.
I guess you're talking about RFC2307 vs. RFC2307bis posixGroup definition.
In my searching, i have found an explicit reason to keep using the posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups. the dependency is because of the use of memberUid attributes.
Well, so I'll keep my custom hybrid group schema for now:
objectclass ( some-custom-oid-here NAME 'hybridPosixGroup' DESC 'Group for mixed group schema RFC 2307 and RFC 2307bis' STRUCTURAL SUP ( groupOfNames $ posixGroup ) )
The caveat is that you have to synchronously maintain attributes 'member' and 'memberUID'. In my deployments web2ldap does that for me.
Ciao, Michael.
Michael Ströder wrote:
Brendan Kearney wrote:
As a caveat to my ACLs, most of my groups are the posixGroup class. from what i understand, that means i need to use set ACLs, instead of group ACLs.
I guess you're talking about RFC2307 vs. RFC2307bis posixGroup definition.
In my searching, i have found an explicit reason to keep using the posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups. the dependency is because of the use of memberUid attributes.
Well, so I'll keep my custom hybrid group schema for now:
objectclass ( some-custom-oid-here NAME 'hybridPosixGroup' DESC 'Group for mixed group schema RFC 2307 and RFC 2307bis' STRUCTURAL SUP ( groupOfNames $ posixGroup ) )
The caveat is that you have to synchronously maintain attributes 'member' and 'memberUID'. In my deployments web2ldap does that for me.
There is no reason to maintain both. pam_ldap/nss_ldap both support RFC2307bis natively, as do nssov and nss-pam-ldapd.
Howard Chu wrote:
Michael Ströder wrote:
Brendan Kearney wrote:
As a caveat to my ACLs, most of my groups are the posixGroup class. from what i understand, that means i need to use set ACLs, instead of group ACLs.
I guess you're talking about RFC2307 vs. RFC2307bis posixGroup definition.
In my searching, i have found an explicit reason to keep using the posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups. the dependency is because of the use of memberUid attributes.
Well, so I'll keep my custom hybrid group schema for now:
objectclass ( some-custom-oid-here NAME 'hybridPosixGroup' DESC 'Group for mixed group schema RFC 2307 and RFC 2307bis' STRUCTURAL SUP ( groupOfNames $ posixGroup ) )
The caveat is that you have to synchronously maintain attributes 'member' and 'memberUID'. In my deployments web2ldap does that for me.
There is no reason to maintain both. pam_ldap/nss_ldap both support RFC2307bis natively, as do nssov and nss-pam-ldapd.
In some environments you do not control the configuration of all (legacy) clients.
Ciao, Michael.
openldap-technical@openldap.org
-
Brendan Kearney -
Howard Chu -
Michael Ströder