Date: Wed, 22 Aug 2007 09:53:42 +0200 From: "Ulrich Spoerlein" <uspoerlein@gmail.com> To: "Chuck Swiger" <cswiger@mac.com> Cc: Richard Foulkes <rbsfou@yahoo.co.uk>, freebsd-stable@freebsd.org Subject: Re: pam_group vs. multiple group lines Message-ID: <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> In-Reply-To: <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> References: <20070821195043.GA1464@roadrunner.spoerlein.net> <A77859AB-FF17-4FBA-8B2C-462B129D84A3@mac.com> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/22/07, Chuck Swiger <cswiger@mac.com> wrote: > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > > Ok, so how are you supposed to control membership of the wheel > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > > group, but this would probably be a bad idea if the ldap server > > were unavailable. > > You've aptly summarized my thoughts on the matter-- I would not rely > on LDAP to provide information about root or the wheel group. That is exactly the gist of my question. Of course I know that a group oneliner is the way to go. However, I saw people suggest splitting groups into multiple lines, if the lines are too long or too many groups per line (something to do with the /etc/group parser, I guess). Anyway, I want the LDAP groups to *augment* system groups. Removing wheel from /etc/group and relying on a complex network service .... not funny. Besides, it *does* work for file permissions etc. so some basic system calls *do* get this right. Uli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7ad7ddd90708220053k147f4c5cq87430a4ee897180d>