From owner-freebsd-stable@FreeBSD.ORG Wed Aug 22 08:19:22 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56E1816A419 for ; Wed, 22 Aug 2007 08:19:22 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by mx1.freebsd.org (Postfix) with ESMTP id DEF6613C468 for ; Wed, 22 Aug 2007 08:19:21 +0000 (UTC) (envelope-from uspoerlein@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so78815nfb for ; Wed, 22 Aug 2007 01:19:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YXMlJse2X4l+BRHAE2aVLW4tCiIqf9+Vp6ep8Yi7xiXO7vNKEd8kv/erqBWT6fLwYsUq9UVx1T6vyop/JwgNt8XD3V0c0SCZbAogk5oxoE8Uvt0rOnKQHZq4aTK8N1ThcV21w05aZkYKizXI4zZMaslw26DGHXt+aquNliG6aWw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FelSiJctaysf7jwgwkeBpNrEJO0EYY2RBa3UBMzdyojSvV/dJY/Iwu4QscESgAGapN/Lyo2YiMJVBtFn7kTVjTC0mm1x8XcLdD/XrvwUSl6hFbGFh2RCWvQWpDIFwl8l6b7nkWDDARm4q7gCBADEDqU/teisrt0i0ZYTvC1toHY= Received: by 10.78.170.17 with SMTP id s17mr263816hue.1187769222527; Wed, 22 Aug 2007 00:53:42 -0700 (PDT) Received: by 10.78.168.7 with HTTP; Wed, 22 Aug 2007 00:53:42 -0700 (PDT) Message-ID: <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> Date: Wed, 22 Aug 2007 09:53:42 +0200 From: "Ulrich Spoerlein" To: "Chuck Swiger" In-Reply-To: <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070821195043.GA1464@roadrunner.spoerlein.net> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> Cc: Richard Foulkes , freebsd-stable@freebsd.org Subject: Re: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 08:19:22 -0000 On 8/22/07, Chuck Swiger wrote: > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > > Ok, so how are you supposed to control membership of the wheel > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > > group, but this would probably be a bad idea if the ldap server > > were unavailable. > > You've aptly summarized my thoughts on the matter-- I would not rely > on LDAP to provide information about root or the wheel group. That is exactly the gist of my question. Of course I know that a group oneliner is the way to go. However, I saw people suggest splitting groups into multiple lines, if the lines are too long or too many groups per line (something to do with the /etc/group parser, I guess). Anyway, I want the LDAP groups to *augment* system groups. Removing wheel from /etc/group and relying on a complex network service .... not funny. Besides, it *does* work for file permissions etc. so some basic system calls *do* get this right. Uli