On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote:
Ok, so how are you supposed to control membership of the wheel
group via ldap? Ok, you COULD remove the local wheel entry in /etc/
group, but this would probably be a bad idea if the ldap server
were unavailable.
You've aptly summarized my thoughts on the matter-- I would not rely
on LDAP to provide information about root or the wheel group.
I've had a similar problem to this where group names are duplicated
across different operating systems (i use gentoo, freebsd and
ubuntu on my network) but the gid's are different. For instance the
'audio' group on gentoo has a different gid to the 'audio' group on
ubuntu. This would appear to have something to do with
nss_base_group configuration option in the ldap.conf file used by
nss_ldap and pam_ldap - something to do with the "search scope" -
whereby i can configure the ldap.conf file for one os to look a sub-
tree of my "groups" ou for additional groups specific to that OS -
but documentation on the PADL site on this topic is almost non-
existant!
Can anyone help?
The solutions to these problems are somewhat painful; looking into
the experience of those using YP/NIS or NetInfo will probably give
some insight which applies to using the newfangled directory services
(aka "LDAP", "Active Directory", "Open Directory", etc). You can
replace the existing flatfile groups with a unified version which
your site is happy with across all of the platforms you use, and then
use "find -nogroup" and things like mtree or rsync to reset the
permissions appropriately.
--
-Chuck
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
