On Fri, 2006-07-21 at 19:28 +1000, Alexander Samad wrote: > On Wed, Jul 19, 2006 at 11:01:53AM -0400, Adam Tauno Williams wrote: > > > >> Are there any recomendations should I use posixGroup or > > > >> groupOfUniqueNames for new installations? > > > > Neither! Use "groupOfNames"; "groupOfUniqueNames" is not what you think > > > > it is. > > That is because of the tantalizing name "groupOfUniqueNames", making > > you think that names in "groupOfNames" are not unique. But of course > > they are, LDAP doesn't support redundant values in an attribute (AFAIK). > > But "member" (groupOfNames) is of type "distinguishedName" and > > "uniqueMember" (groupOfUniqueNames) is > > "1.3.6.1.4.1.1466.115.121.1.34" (which means "Name And Optional UID"). > > http://www.alvestrand.no/objectid/1.3.6.1.4.1.1466.115.121.1.34.html > > uniqueMember is almost certainly not what you want. > > > Hmmm... Interesting, searching via google mostly returned references > > > suggesting most of the folks out there (and therefore tools they are > > > using) utilize groupOfUniqueNames. However, I might be wrong. > > We used to use groupOfUniqueNames until we realized the error and > > switched to groupOfNames. But groupOfNames is the correct objectclass > > for a group defined as a collection of DNs. > > > Anyhow, if using either groupOfNames or groupOfUniqueNames, how about > > > gidNumber attribute from posixGroup? I guess nss_ldap is not going to > > > work without it. What would be the best way to add that attribute? > > > Other than defining my custom object classes or using extensibleObject > > > (obviously you do not recommend those two approaches)? > > In rfc2307bis.schema posixGroup is AUXILLIARY. > > objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY > > DESC 'Abstraction of a group of accounts' > > MUST gidNumber > > MAY ( userPassword $ memberUid $ > > description ) ) > in my schema poasixGroup is a structual ( openldap on debian), what is > rfc2308bis.schema ??
The 2307BIS schema is basically just a modification of the 2307 schema where posixGroup is auxiliary. BIS, which also has to be supported by the consumer (aka NSS_LDAP) allows you to use groups of DNs to represent posixGroups rather than groups of memberuids. In the case of NSS_LDAP the NSS library also maintains a cache of DN->uid lookups (called the dn2uid cache) in a db file to speed things up. Since PAM & NSS LDAP is made by PADL.COM, they produce the rfc2307bis.schema file. See http://www.padl.com/Contents/Documentation.html , specifically http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
