[PATCH] groups in ldap

Andrew Bartlett abartlet at samba.org
Tue Mar 18 10:01:29 GMT 2003


On Tue, 2003-03-18 at 20:47, Volker Lendecke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > A schema similar to the one used for users, 
> 
> But if you look at sambaAccount, it firmly ties 'uid' with 'rid',
> which conflicts your point below.

No, it doesn't.  'uid' is 'username' in ldap-speak. 

We don't *require* the unix uid (number) in ldap, but I've recently
added hacks that allow us to use it sometimes.  We should try to rely on
this less, except via the idmap.

We should create a schema that co-exists with the posixGroup for
existing users.  

Now, what's the deal exactly with 'groups in groups'.  I know we can do
it for aliases - but I don't think it applies for 'real' groups.  

We might be able to use this distinction to our advantage, or at least
as a place to start.

> > so that you can create groups, with groups members, and optionally a
> > field for gid mapping perhaps.
> 
> You want a memberSid that can occur multiple times?

We should not store the 'gid' as part of SambaGroup.  That really is
idmap's problem (which might refer back to exactly the same record - but
they need to be conceptually seperated).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030318/75fee7e2/attachment.bin


More information about the samba-technical mailing list