[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?

To: Howard Chu <hyc@symas.com>
Subject: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
From: Philip Colmer <philip.colmer@linaro.org>
Date: Mon, 24 Feb 2014 14:58:15 +0000
Cc: openldap-technical@openldap.org
In-reply-to: <530B56C6.20809@symas.com>
References: <651402065.18933.1393009966826.JavaMail.root@standard.k12.ca.us> <1530492157.19050.1393010052750.JavaMail.root@standard.k12.ca.us> <20140222075558.32a4b198@pink.avci.de> <CAKTSSTjVSFg_Cn6HuzhZWnmu4PObxTYhbwt8aokB-3AYYE5BfA@mail.gmail.com> <530B56C6.20809@symas.com>

 > Nonsense. nss_ldap, nss-pam-ldapd, and nssov all support RFC2307bis.

Just to clarify, then, are you saying that if I use RFC2307bis so that
I can define a group that built from object classes posixGroup and
groupOfNames, and I define the membership of that group using the
groupOfNames member attribute then a Linux system configured to use
LDAP will resolve a user's account name to their full DN for matching
against that group? Are nested groups supported?

If that is the case, where can I find documentation for this, please?

Regards

Philip

On 24 February 2014 14:27, Howard Chu <hyc@symas.com> wrote:
> Philip Colmer wrote:
>>
>> This was an area where I also got stuck when researching this last year.
>> My
>> conclusions were:
>>
>> 1. UNIX needs group membership to be UIDs and not DNs, so attempts to use
>> a
>> class that defines members with DNs are likely to fail.
>
>
> Nonsense. nss_ldap, nss-pam-ldapd, and nssov all support RFC2307bis.
>
> --
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
  - From: Michael Ströder <michael@stroeder.com>

References:
- strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
  - From: Jefferson Davis <jdavis@standard.k12.ca.us>
- Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
  - From: Philip Colmer <philip.colmer@linaro.org>
- Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: LMDB - growing the database
Next by Date: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
Index(es):
- Chronological
- Thread