[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: posixGroup/groupOfUniqueNames - schema defs and choices

To: "'Tarjei Huse'" <tarjei@nu.no>, <openldap-software@OpenLDAP.org>, <nssldap@padl.no>
Subject: RE: posixGroup/groupOfUniqueNames - schema defs and choices
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sat, 26 Oct 2002 10:45:48 -0700
Importance: Normal
In-reply-to: <1035643855.3dbaabcfc30f3@mail.nu.no>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tarjei Huse

> b) Can someone offer me some tips on how I might reduce the number of
> objectclasses I need per group or how I can set the objects
> so I will not need
> to modify the schemas that come with OL?

Since it appears you're using the RFC2307bis definition of posixGroup, which
uses DNs instead of usernames for its member list, you can omit the
groupOfUniqueNames objectclass; it's not giving you any additional
functionality.

I personally would not have defined this sambamember attribute type for the
sambaGroup objectclass. Including the member's RID may be convenient for some
lookups but introducing redundant information into a data store is really
nasty from a management/maintenance perspective. Groups should simply contain
lists of member DNs, and anything you need to know about individual members
should be looked up separately. In particular, using member lists with
unqualified names is always a bad idea, as RFC2307 demonstrated. Any static
reference that forces you to do a filtered search for a single object, rather
than directly looking up the object by DN, is a performance loss. As soon as
you run across multiple NT domains in a single forest you're going to wish
you had a way to disambiguate these simple names in your groups, and the
proper thing is to use DNs from the very beginning. (Yes, this is personal
experience talking, "been there, done that.")

> Example ldif:
> dn: cn=Domain Admins, ou=NTGroups, <base>
> rid: 200
> objectclass: posixGroup
> objectclass: top
> objectclass: sambaGroup
> objectclass: groupOfUniqueNames
> sambamember: Administrator, 1f4, 1
> <more sambamembers>
> ntuid: Domain Admins
> cn: Domain Admins
> gidnumber: 200
> userpassword: {crypt}x
> uniquemember: uid=root,ou=People,<base>
> uniquemember: uid=tarjei,ou=Brukere,<base>
> uniquemember: uid=Administrator, ou=Ntoperators, <base>
> uniquemember: uid=jonas,ou=Brukere,<base>
> uniquemember: cn=samba,ou=People, <base>

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- posixGroup/groupOfUniqueNames - schema defs and choices
  - From: Tarjei Huse <tarjei@nu.no>

Prev by Date: Re: posixGroup/groupOfUniqueNames - schema defs and choices
Next by Date: RE: Question new Syntax.
Index(es):
- Chronological
- Thread