On Fri, Jul 21, 2006 at 06:15:51AM -0400, Adam Tauno Williams wrote: > On Fri, 2006-07-21 at 19:28 +1000, Alexander Samad wrote: > > On Wed, Jul 19, 2006 at 11:01:53AM -0400, Adam Tauno Williams wrote: > > > > >> Are there any recomendations should I use posixGroup or > > > > >> groupOfUniqueNames for new installations? > > > > > Neither! Use "groupOfNames"; "groupOfUniqueNames" is not what you > > > > > think > > > > > it is. > > > That is because of the tantalizing name "groupOfUniqueNames", making > > > you think that names in "groupOfNames" are not unique. But of course > > > they are, LDAP doesn't support redundant values in an attribute (AFAIK). > > > But "member" (groupOfNames) is of type "distinguishedName" and > > > "uniqueMember" (groupOfUniqueNames) is > > > "1.3.6.1.4.1.1466.115.121.1.34" (which means "Name And Optional UID"). > > > http://www.alvestrand.no/objectid/1.3.6.1.4.1.1466.115.121.1.34.html > > > uniqueMember is almost certainly not what you want. > > > > Hmmm... Interesting, searching via google mostly returned references > > > > suggesting most of the folks out there (and therefore tools they are > > > > using) utilize groupOfUniqueNames. However, I might be wrong. > > > We used to use groupOfUniqueNames until we realized the error and > > > switched to groupOfNames. But groupOfNames is the correct objectclass > > > for a group defined as a collection of DNs. > > > > Anyhow, if using either groupOfNames or groupOfUniqueNames, how about > > > > gidNumber attribute from posixGroup? I guess nss_ldap is not going to > > > > work without it. What would be the best way to add that attribute? > > > > Other than defining my custom object classes or using extensibleObject > > > > (obviously you do not recommend those two approaches)? > > > In rfc2307bis.schema posixGroup is AUXILLIARY. > > > objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY > > > DESC 'Abstraction of a group of accounts' > > > MUST gidNumber > > > MAY ( userPassword $ memberUid $ > > > description ) ) > > in my schema poasixGroup is a structual ( openldap on debian), what is > > rfc2308bis.schema ?? > > > The 2307BIS schema is basically just a modification of the 2307 schema > where posixGroup is auxiliary. BIS, which also has to be supported by > the consumer (aka NSS_LDAP) allows you to use groups of DNs to represent > posixGroups rather than groups of memberuids. In the case of NSS_LDAP > the NSS library also maintains a cache of DN->uid lookups (called the > dn2uid cache) in a db file to speed things up. Since PAM & NSS LDAP is > made by PADL.COM, they produce the rfc2307bis.schema file. > > See http://www.padl.com/Contents/Documentation.html , specifically > http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt Hi
Thanks for that, in my searching for this I found that because it was a draft and it hadn't been updated, that it had lapsed ? Alex > > > --- > You are currently subscribed to [email protected] as: [EMAIL PROTECTED] > To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as > the SUBJECT of the message. >
signature.asc
Description: Digital signature
--- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
