Re: pam_group vs. multiple group lines

Hi, all!

On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote:
On 8/22/07, Chuck Swiger <cswiger@xxxxxxx> wrote:
On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote:
Ok, so how are you supposed to control membership of the wheel
group via ldap? Ok, you COULD remove the local wheel entry in /etc/
group, but this would probably be a bad idea if the ldap server
were unavailable.

You've aptly summarized my thoughts on the matter-- I would not rely
on LDAP to provide information about root or the wheel group.

That is exactly the gist of my question. Of course I know that a group
oneliner is the way to go. However, I saw people suggest splitting
groups into multiple lines, if the lines are too long or too many
groups per line (something to do with the /etc/group parser, I guess).

Anyway, I want the LDAP groups to *augment* system groups. Removing
wheel from /etc/group and relying on a complex network service ....
not funny.

I've only followed this thread loosely, so I apologize if this has
already been stated or if I'm completely missing the point, but
here goes:

We do not use LDAP yet, but have been using NIS in our internal
office network for years. If you use the magic "+" token to merge
your NIS database with the static files for passwd and group
information, then

_if_ the group entry in the static file does not contain any users
_then_ the information from NIS is merged in

So you can keep a "wheel" group around as the _primary_ group
for root, toor, whatnot ... and all the additional members
that have "wheel" as an auxiliary group come from NIS.

Possibly this works for LDAP, too? IMHO at least it should ;-))

Kind regards,
Patrick
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@xxxxxxxx http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: pam_group vs. multiple group lines
    ... but this would probably be a bad idea if the ldap server ... on LDAP to provide information about root or the wheel group. ... We do not use LDAP yet, but have been using NIS in our internal ... passwd: files ldap ...
    (freebsd-stable)
  • Re: pam_group vs. multiple group lines
    ... but this would probably be a bad idea if the ldap server ... on LDAP to provide information about root or the wheel group. ... I want the LDAP groups to *augment* system groups. ...
    (freebsd-stable)
  • Re: pam_group vs. multiple group lines
    ... I want the LDAP groups to *augment* system groups. ... wheel from /etc/group and relying on a complex network service .... ... We do not use LDAP yet, but have been using NIS in our internal ... your NIS database with the static files for passwd and group ...
    (freebsd-stable)
  • Re: Using [Open]LDAP for authentication
    ... is conflisting with the one in ldap. ... Another solution would be to tell sudo to look for a different group ... and make sure the LDAP group is unique. ... > in wheel and hence won't let me do anything:( ...
    (freebsd-stable)
  • Re: Directory Server LDAP/LDIF import - working yet not working???
    ... I then generated LDIF files from the /etc files on our NIS ... > 10,000-foot understanding of LDAP. ... > I already downloaded the various LDAP BluePrints and Directory Server ...
    (comp.unix.solaris)