[Fedora-directory-users] Re: proper procedure to add a unix group

Steven Bonneville sbonnevi at redhat.com
Wed Aug 17 17:24:40 UTC 2005 

Rich Megginson wrote: 

> Igor wrote:
> 
> >Hi, all.  This is probably a dumb question but how do
> >I add a group?  Simply adding a group thru the UI
> >doesn't allow one to specify a GID.  I tried adding an
> >object type "OTHER" and selecting posixGroup.  That
> >seemed to have worked, is that how this is to be done?
> >  
> >
> Yes.
> 
> > Because under company name aci, it shows up with gid
> >number, NOT the group name which is kind of ugly.
> >  
> >
> Right.  A console "group" is a groupOfUniqueNames.  A posixGroup is a 
> unix /etc/groups replacement group.

One cool thing I've noticed while working on research for Red Hat's
RH423 class: it turns out that Red Hat Directory Server allows you 
to assign an entry both the groupOfUniqueNames and posixGroup object 
classes at the same time! 

Strictly speaking this is a schema violation, since they are 
unrelated structural classes, but Directory Server does not enforce 
the rule that there can only be one structural class chain on an 
entry.  Now, the interesting thing is that it's been proposed
(in the expired Internet-Draft draft-howard-rfc2307bis-00.txt) 
that posixGroup be changed to an auxiliary class so that it and 
groupOfUniqueNames can be used together to make this legal.  It
was further proposed that group members can be stored not just as
login names (in memberUid attributes from posixGroup), but ALSO
as DNs of posixAccount entries (in uniqueMember attributes from 
groupOfUniqueNames).

It turns out that the author of the proposal is the developer of 
the nss_ldap package used by Red Hat Enterprise Linux, so nss_ldap 
already supports this.  This means that if there is a directory
entry uid=testuser,ou=people,dc=example,dc=com that's a valid 
posixAccount user, you can define a static group entry with LDIF
like the following:

  dn: cn=unixgroup,ou=groups,dc=example,dc=com
  objectclass: top
  objectclass: groupOfUniqueNames
  objectclass: posixGroup
  cn: unixgroup
  gidNumber: 1701
  uniqueMember: uid=testuser,ou=people,dc=example,dc=com

use system-config-authentication to set up a RHEL client to use 
nss_ldap to look up user information from the directory, and get this:

  [root at example ~]# getent group unixgroup
  unixgroup:x:1701:testuser

  -- Steve Bonneville

More information about the Fedora-directory-users mailing list