[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Types of Groups, Structural objects and Inheritance

Michael Ströder wrote:
Brendan Kearney wrote:
As a caveat to my ACLs, most of my groups are the posixGroup class.
from what i understand, that means i need to use set ACLs, instead of
group ACLs.

I guess you're talking about RFC2307 vs. RFC2307bis posixGroup definition.

In my searching, i have found an explicit reason to keep using the
posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups.
the dependency is because of the use of memberUid attributes.

Well, so I'll keep my custom hybrid group schema for now:

objectclass ( some-custom-oid-here
   NAME 'hybridPosixGroup'
   DESC 'Group for mixed group schema RFC 2307 and RFC 2307bis'
   SUP ( groupOfNames $ posixGroup ) )

The caveat is that you have to synchronously maintain attributes 'member' and
'memberUID'. In my deployments web2ldap does that for me.

There is no reason to maintain both. pam_ldap/nss_ldap both support RFC2307bis natively, as do nssov and nss-pam-ldapd.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/