[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: users, groups, etc. for posix authentication?

On 1/5/2011 17:01, Howard Chu wrote:
Christ Schlacta wrote:
is there any reason that a posix usernames, groups, passwords, etc. must
be stored in distinct locations in a directory ?  I realize this mostly
applies to the padl pam/nis and the libnsspam-ldapd module specific.

can they be stored in other structures effectively and usefully?  can
they be stored on a department by department basis, or in any other
organizational scheme?  (ou=arbitrary1,dc=... having groups and users,
while ou=arb2,ou=arb3,dc=... also has users and groups?)  if a scheme
like the above is used, will all users and groups be available on a
system?  must they be free of naming conflicts, or will
group=users,ou=arbitrary1,... be different from
group=users,ou=arb2,ou=arb3,... ?  if they're different, how would this
be indicated by the systems?

A POSIX system considers usernames to be a flat namespace. If you store them in separate branches of a directory, you create the possibility of having duplicate names in separate branches, and the base OS will not be able to handle that.

This question has nothing to do with LDAP and has no place on this forum.

in fact your answer is perfect and sufficiently answers all the questions. if the underlying operating system doesn't support it, then ldap can't be used for it. thank you :)