0

"Usergroups" are a common concept in UNIX, many Linux distributions (e.g. Debian) use it as default. It means that each user has its corresponding private group (e.g., User "alex" has also a group "alex" which is his primary GID).

Now when you have the user database in LDAP (e.g. openldap and use libnss-ldap) is there anything wrong creating just one object per user and assign it the object class(es) for the user (e.g., posixAccount,shadowAccount,sambaSamAccount) and the class for the group (e.g., posixGroup) at the same time?

divB
  • 538
  • 1
  • 6
  • 22

1 Answers1

0

IIRC the required attribute for the posixAccount objectClass is the gidNumber and on Linux systems he gidNumber does not need to resolve to a more human readable group name; your system only translates the GID number to a name as a user convenience anyway.

That doesn't say you won't get warnings...

As for adding both the objectClass=posixAccount and objectClass=posixGroup to the same DN? No idea if you can, nor if it will work. A priori I don't see why not on technical reasons, but testing will resolve that.

My recommendation about going against convention is that it will always become a nightmare to maintain...

HBruijn
  • 72,524
  • 21
  • 127
  • 192