[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: gidNumber attribute inside group & member

Thanks Jonathan...that really helped!

On Fri, Dec 4, 2009 at 9:04 PM, Jonathan Clarke <jonathan@phillipoux.net> wrote:
On 04/12/09 11:25, Shamika Joshi wrote:
Hi all,
I need some clarification regarding how permissions of members are taken
care when they login to a client machine. As I understand "gidNumber"
that I give while creating group entry(like "gidNumber" "4" for
"qagroup", which refers to "gid" of "adm" group on a linux machine
/etc/group), so permissions of that group are assigned to members of
"qagroup" i.e. ldap1 & ldap2 when they login to any client. Is that correct?

It is confusing because, members ldap1 & ldap2 belong to posixAccount
objectclass which also requires gidNumber as required attribute. So does
gidNumber values mentioned in member's entry get overwritten by
gidNumber attribute inside their group i.e "qagroup"? What about the
case where single member is added to multiple groups? what permissions
does the member get when he logs on to particular machine?


The gidNumber of a group is it's unique identifier, in the same way that a uid is the unique identifier of a user. On a UNIX system, file permissions are usually stored with uids and gids, not user- and group- names.

So, each group had a gidNumber to uniquely identify it. And each user has a uidNumber to uniquely identify it.

And, each user has a "primary group" - this is their "main" group.

This representation in LDAP objects just mirrors that on a UNIX system: if you look at /etc/passwd, you'll see that one of the fields is a GID. If you run the command "id", it's output includes user's UID, main GID and a list of other groups the user is a member of.

So, yes, all members of a group with gid "4" have the permissions granted to that group. Each user also has the permissions of his "main" group.

Hope this helps,

Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org