From owner-freebsd-stable@FreeBSD.ORG Wed Aug 22 08:28:43 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76D5816A417 for ; Wed, 22 Aug 2007 08:28:43 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from kagate.punkt.de (kagate.punkt.de [217.29.33.131]) by mx1.freebsd.org (Postfix) with ESMTP id E1EA113C48A for ; Wed, 22 Aug 2007 08:28:42 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from hugo10.ka.punkt.de (hugo10.ka.punkt.de [10.0.0.110]) by kagate2.punkt.de with ESMTP id l7M8Sf2t043787 for ; Wed, 22 Aug 2007 10:28:41 +0200 (CEST) Received: from hugo10.ka.punkt.de (localhost [127.0.0.1]) by hugo10.ka.punkt.de (8.13.6/8.13.6) with ESMTP id l7M8SerQ075906; Wed, 22 Aug 2007 10:28:40 +0200 (CEST) (envelope-from ry93@hugo10.ka.punkt.de) Received: (from ry93@localhost) by hugo10.ka.punkt.de (8.13.6/8.13.6/Submit) id l7M8SeQL075905; Wed, 22 Aug 2007 10:28:40 +0200 (CEST) (envelope-from ry93) Date: Wed, 22 Aug 2007 10:28:40 +0200 From: "Patrick M. Hausen" To: Ulrich Spoerlein Message-ID: <20070822082840.GB74165@hugo10.ka.punkt.de> References: <20070821195043.GA1464@roadrunner.spoerlein.net> <64A1102C-0697-4C4D-AF3B-B1F2ED224792@yahoo.co.uk> <1D83A750-03FD-49EF-B99D-BA9B7F7E7BD0@mac.com> <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <7ad7ddd90708220053k147f4c5cq87430a4ee897180d@mail.gmail.com> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-stable@freebsd.org, Richard Foulkes Subject: Re: pam_group vs. multiple group lines X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2007 08:28:43 -0000 Hi, all! On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote: > On 8/22/07, Chuck Swiger wrote: > > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > > > Ok, so how are you supposed to control membership of the wheel > > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > > > group, but this would probably be a bad idea if the ldap server > > > were unavailable. > > > > You've aptly summarized my thoughts on the matter-- I would not rely > > on LDAP to provide information about root or the wheel group. > > That is exactly the gist of my question. Of course I know that a group > oneliner is the way to go. However, I saw people suggest splitting > groups into multiple lines, if the lines are too long or too many > groups per line (something to do with the /etc/group parser, I guess). > > Anyway, I want the LDAP groups to *augment* system groups. Removing > wheel from /etc/group and relying on a complex network service .... > not funny. I've only followed this thread loosely, so I apologize if this has already been stated or if I'm completely missing the point, but here goes: We do not use LDAP yet, but have been using NIS in our internal office network for years. If you use the magic "+" token to merge your NIS database with the static files for passwd and group information, then _if_ the group entry in the static file does not contain any users _then_ the information from NIS is merged in So you can keep a "wheel" group around as the _primary_ group for root, toor, whatnot ... and all the additional members that have "wheel" as an auxiliary group come from NIS. Possibly this works for LDAP, too? IMHO at least it should ;-)) Kind regards, Patrick -- punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info@punkt.de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285