Hi all, I need some clarification regarding how permissions of members are taken care when they login to a client machine. As I understand "gidNumber" that I give while creating group entry(like "gidNumber" "4" for "qagroup", which refers to "gid" of "adm" group on a linux machine /etc/group), so permissions of that group are assigned to members of "qagroup" i.e. ldap1 & ldap2 when they login to any client. Is that correct?
It is confusing because, members ldap1 & ldap2 belong to posixAccount objectclass which also requires gidNumber as required attribute. So does gidNumber values mentioned in member's entry get overwritten by gidNumber attribute inside their group i.e "qagroup"? What about the case where single member is added to multiple groups? what permissions does the member get when he logs on to particular machine?
ldif input: dn: uid=ldap1,ou=Users,dc=test,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person homeDirectory: /home/ldap1 loginShell: /bin/bash cn: ldap1 uidNumber: 10000 gidNumber: 500 <============= sn: ldap1 mobile: 987777787 physicalDeliveryOfficeName: ravi userPassword: ldap1 uid: ldap1
dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 <=============== objectClass: posixGroup memberUid: uid=ldap1,ou=Users,dc=test,dc=com memberUid: uid=ldap2,ou=Users,dc=test,dc=com
Thanks in advance Shamika
On 04/12/09 11:25, Shamika Joshi wrote:
Hi all, I need some clarification regarding how permissions of members are taken care when they login to a client machine. As I understand "gidNumber" that I give while creating group entry(like "gidNumber" "4" for "qagroup", which refers to "gid" of "adm" group on a linux machine /etc/group), so permissions of that group are assigned to members of "qagroup" i.e. ldap1 & ldap2 when they login to any client. Is that correct?
It is confusing because, members ldap1 & ldap2 belong to posixAccount objectclass which also requires gidNumber as required attribute. So does gidNumber values mentioned in member's entry get overwritten by gidNumber attribute inside their group i.e "qagroup"? What about the case where single member is added to multiple groups? what permissions does the member get when he logs on to particular machine?
Hi,
The gidNumber of a group is it's unique identifier, in the same way that a uid is the unique identifier of a user. On a UNIX system, file permissions are usually stored with uids and gids, not user- and group- names.
So, each group had a gidNumber to uniquely identify it. And each user has a uidNumber to uniquely identify it.
And, each user has a "primary group" - this is their "main" group.
This representation in LDAP objects just mirrors that on a UNIX system: if you look at /etc/passwd, you'll see that one of the fields is a GID. If you run the command "id", it's output includes user's UID, main GID and a list of other groups the user is a member of.
So, yes, all members of a group with gid "4" have the permissions granted to that group. Each user also has the permissions of his "main" group.
Hope this helps, Jonathan
Thanks Jonathan...that really helped!
On Fri, Dec 4, 2009 at 9:04 PM, Jonathan Clarke jonathan@phillipoux.netwrote:
On 04/12/09 11:25, Shamika Joshi wrote:
Hi all, I need some clarification regarding how permissions of members are taken care when they login to a client machine. As I understand "gidNumber" that I give while creating group entry(like "gidNumber" "4" for "qagroup", which refers to "gid" of "adm" group on a linux machine /etc/group), so permissions of that group are assigned to members of "qagroup" i.e. ldap1 & ldap2 when they login to any client. Is that correct?
It is confusing because, members ldap1 & ldap2 belong to posixAccount objectclass which also requires gidNumber as required attribute. So does gidNumber values mentioned in member's entry get overwritten by gidNumber attribute inside their group i.e "qagroup"? What about the case where single member is added to multiple groups? what permissions does the member get when he logs on to particular machine?
Hi,
The gidNumber of a group is it's unique identifier, in the same way that a uid is the unique identifier of a user. On a UNIX system, file permissions are usually stored with uids and gids, not user- and group- names.
So, each group had a gidNumber to uniquely identify it. And each user has a uidNumber to uniquely identify it.
And, each user has a "primary group" - this is their "main" group.
This representation in LDAP objects just mirrors that on a UNIX system: if you look at /etc/passwd, you'll see that one of the fields is a GID. If you run the command "id", it's output includes user's UID, main GID and a list of other groups the user is a member of.
So, yes, all members of a group with gid "4" have the permissions granted to that group. Each user also has the permissions of his "main" group.
Hope this helps, Jonathan
--
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
openldap-technical@openldap.org
-
Jonathan Clarke -
Shamika Joshi