[389-users] posixGroup
John A. Sullivan III
jsullivan at opensourcedevel.com
Thu May 21 13:46:13 UTC 2009
On Thu, 2009-05-21 at 15:28 +0200, Michael Ströder wrote:
> John A. Sullivan III wrote:
> > On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote:
> >> Hello.
> >>
> >> My question is simple. I need to create unix group. If i try to do this
> >> via New->Group, then i can't see posixGroup. So i can add posixGroup
> >> only manually by adding needed attributes. But i want to add via console
> >> such as i can add new user.
> > <snip>
> > If I correctly understand what you want, what I typically do is create
> > the group, click on Advanced and add the posixgroup attribute. I then
> > simply add users who have previously had the posixAccount attribute
> > added to their definition.
>
> I think instead of "add attribute" you meant to say "add auxiliary
> object class".
>
> But please note that the object classes groupOfNames/groupOfUniqueNames
> and posixGroup are all defined as STRUCTURAL. Strictly speaking in the
> spirit of LDAPv3 compliance an entry can only have exactly one
> STRUCTURAL object class (including the inherited STRUCTURAL object
> classes). Although the 389 DS does not prevent you from creating an
> entry like this
>
> objectClass: groupOfUniqueNames
> objectClass: posixGroup
>
> you shouldn't do that since it might lead to interop problems.
>
> > I also find in RedHat style systems that I
> > need to add the posixgroup attribute to the users.
>
> ???
>
> 'posixGroup' is an auxiliary object class containing the members' 'uid'
> value in its multi-valued attribute 'memberUid'. Despite the issues with
> STRUCTURAL I don't see any reason to add this object class to a person
> or account entry anyway.
>
> Ciao, Michael.
<snip>
Thanks very much for the clarification as I am (obviously) LDAP
ignorant. Yes, I did mean add an objectclass. Unfortunately, I think
we're a bit stuck because of RedHat's (useful) use of user groups.
Since most of the user directory files are owned by a group with the
same name as the user, I have major issues if I do not do this. I
suppose the correct solution would be to create a group of the same name
but then we hit potential problems with non-unique cn if we match uid
and cn and preserve uniqueness. What do others do? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list