For historic reasons, we store our /etc/group assignments in an Oracle database - this data was used to generate /etc/group files and later used to populate our LDAP group attributes. Being an AFS shop, we did not have a lot of need for /etc/group control at the user level, but some access control (authorization to sign on to private machines) which used to rely on PTS groups broke in some upgrade in the distant past, so we added a job that nightly synchronizes the entries in selected /etc/group entries with the membership in PTS groups (easy to delegate).
Later on we reversed the process, to synchronize membership in selected /etc/group entries be mapped to PTS groups. This was to support a software licensing system - user goes to a secure web page, agrees to certain conditions, and is granted a license for a short time (generally measured in days). This results in their account being added to a particular Unix group (which is mostly irrelevant, it just was a data structure we had readily available in the database), and this is them synchronized with the appropriate PTS group (this is in close to real time, usually within seconds), and email is generated that tells them they can go download their software. A few days or weeks later, their download license expires, and they are deleted from the PTS group (and /etc/group, but that doesn't matter). All that being said, I hope you can find a script that does what you need without all of this additional overhead. Starting from scratch, just attempting to solve your particular request, I would not design it the way we do it. Given our history, other projects, organizational constraints (I did not have access to the web servers, but I could add secure applications that talked to the database, and I already had database driven applications that talked to PTS, this approach allowed me to provide the service quickly, using existing tools in my control.) Although I am willing to share code, it is NOT packaged in a format what you can just drop it in and run it, and you need an Oracle database (although you can get a small Oracle database for "free", you still need to administer it.) Some aspects of this project date back 15 years (how many lifetimes is that in software terms?) and need to be revised if not completely rewritten. Alternately, can you put your problem in the greater context of group management as part of a more general Identity Management (IdM) project? You may find that the interface that can populate PTS groups (ie - based on major, course enrollment, department affiliation, special project) can also read back the membership of PTS groups, and interact with other group management systems (/etc/group, LDAP, Active Directory, Badge Reading systems (yes, membership in PTS groups can unlock doors for you on our campus, albeit given some delays for cron jobs to synchronize things), SMTP groups) and turn your problem into simply adding a mapping table and a few lines of PL/SQL (or equivalent). Jon Finke - Senior Systems Programmer - CMT - RPI 518 276 8185 (voice) - 518 276 2809 (fax) - http://www.rpi.edu/~finkej -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stephen Joyce Sent: Friday, August 31, 2007 12:37 AM To: [email protected] Subject: [OpenAFS] pts groups -> unix groups I'm installing a new workstation for a group of my users and it has a large direct attached raid... I'd rather they store their data in AFS, but the quantity of data and their required transfer rates dictate the DAS, so I agree with their decision. Anyway, to control access to their data, they're going to want unix groups with similar levels of granularity and end-user configurability that they're used to with AFS PTS groups. Does anyone have a solution to use AFS PTS group memberships for unix groups? My first impulse was to regenerate /etc/group periodically with userlists obtained from PTS group memberships. Has anyone written such a script already? It actually seems that there should be an easier solution. Is there a way to use PTS groups from nsswitch.conf directly? This seems like a problem that someone has likely solved before, so I wanted to ask before re-solving it. (Actually, it'd be nice if I could store the groups in ldap and have both AFS and unix be able to use them.) Cheers, Stephen -- Stephen Joyce Systems Administrator P A N I C Physics & Astronomy Department Physics & Astronomy University of North Carolina at Chapel Hill Network Infrastructure voice: (919) 962-7214 and Computing fax: (919) 962-0480 http://www.panic.unc.edu _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
