Thanks Jonathan...that really helped! On Fri, Dec 4, 2009 at 9:04 PM, Jonathan Clarke <[email protected]>wrote:
> On 04/12/09 11:25, Shamika Joshi wrote: > >> Hi all, >> I need some clarification regarding how permissions of members are taken >> care when they login to a client machine. As I understand "gidNumber" >> that I give while creating group entry(like "gidNumber" "4" for >> "qagroup", which refers to "gid" of "adm" group on a linux machine >> /etc/group), so permissions of that group are assigned to members of >> "qagroup" i.e. ldap1 & ldap2 when they login to any client. Is that >> correct? >> >> It is confusing because, members ldap1 & ldap2 belong to posixAccount >> objectclass which also requires gidNumber as required attribute. So does >> gidNumber values mentioned in member's entry get overwritten by >> gidNumber attribute inside their group i.e "qagroup"? What about the >> case where single member is added to multiple groups? what permissions >> does the member get when he logs on to particular machine? >> > > Hi, > > The gidNumber of a group is it's unique identifier, in the same way that a > uid is the unique identifier of a user. On a UNIX system, file permissions > are usually stored with uids and gids, not user- and group- names. > > So, each group had a gidNumber to uniquely identify it. And each user has a > uidNumber to uniquely identify it. > > And, each user has a "primary group" - this is their "main" group. > > This representation in LDAP objects just mirrors that on a UNIX system: if > you look at /etc/passwd, you'll see that one of the fields is a GID. If you > run the command "id", it's output includes user's UID, main GID and a list > of other groups the user is a member of. > > So, yes, all members of a group with gid "4" have the permissions granted > to that group. Each user also has the permissions of his "main" group. > > Hope this helps, > Jonathan > > -- > -------------------------------------------------------------- > Jonathan Clarke - [email protected] > -------------------------------------------------------------- > Ldap Synchronization Connector (LSC) - http://lsc-project.org > -------------------------------------------------------------- >
