Date: Wed, 22 Aug 2007 10:28:40 +0200 From: "Patrick M. Hausen" <hausen@punkt.de> To: Ulrich Spoerlein <uspoerlein@gmail.com> Cc: freebsd-stable@freebsd.org, Richard Foulkes <rbsfou@yahoo.co.uk> Subject: Re: pam_group vs. multiple group lines Message-ID: <20070822082840.GB74165@hugo10.ka.punkt.de> In-Reply-To: <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> References: <20070821195043.GA1464@roadrunner.spoerlein.net> <A77859AB-FF17-4FBA-8B2C-462B129D84A3@mac.com> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, all! On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote: > On 8/22/07, Chuck Swiger <cswiger@mac.com> wrote: > > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > > > Ok, so how are you supposed to control membership of the wheel > > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > > > group, but this would probably be a bad idea if the ldap server > > > were unavailable. > > > > You've aptly summarized my thoughts on the matter-- I would not rely > > on LDAP to provide information about root or the wheel group. > > That is exactly the gist of my question. Of course I know that a group > oneliner is the way to go. However, I saw people suggest splitting > groups into multiple lines, if the lines are too long or too many > groups per line (something to do with the /etc/group parser, I guess). > > Anyway, I want the LDAP groups to *augment* system groups. Removing > wheel from /etc/group and relying on a complex network service .... > not funny. I've only followed this thread loosely, so I apologize if this has already been stated or if I'm completely missing the point, but here goes: We do not use LDAP yet, but have been using NIS in our internal office network for years. If you use the magic "+" token to merge your NIS database with the static files for passwd and group information, then _if_ the group entry in the static file does not contain any users _then_ the information from NIS is merged in So you can keep a "wheel" group around as the _primary_ group for root, toor, whatnot ... and all the additional members that have "wheel" as an auxiliary group come from NIS. Possibly this works for LDAP, too? IMHO at least it should ;-)) Kind regards, Patrick -- punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070822082840.GB74165>