Is it possible to merge a group that's defined locally with one defined on an LDAP server?
I'm running a Subversion server. I need certain local users like apache to have write access to the repository files. But I also need my LDAP users to be able to write to them.
I was thinking of creating a local group in /etc/group, containing the local users. Then I'd create a group on the LDAP server with the same name and numeric ID, containing the LDAP users. The repository files would then be assigned to that group, so they're writable by both sets of users. Is that a bad idea?
Thanks, Jacob
On Fri, Aug 08, 2014 at 10:45:09AM -0700, Jacob Weber wrote:
Is it possible to merge a group that's defined locally with one defined on an LDAP server?
I'm running a Subversion server. I need certain local users like apache to have write access to the repository files. But I also need my LDAP users to be able to write to them.
I was thinking of creating a local group in /etc/group, containing the local users. Then I'd create a group on the LDAP server with the same name and numeric ID, containing the LDAP users. The repository files would then be assigned to that group, so they're writable by both sets of users. Is that a bad idea?
Thanks, Jacob
Hi,
if you're using the RFC2307 schema (and not RFC2307bis) then it's possible to just include a local user in the memberUid attribute. See: https://fedorahosted.org/sssd/ticket/1020
And: https://fedorahosted.org/sssd/wiki/DesignDocs/LocalGroupMembersForRFC2307
On 08/08/2014 01:45 PM, Jacob Weber wrote:
Is it possible to merge a group that's defined locally with one defined on an LDAP server?
I'm running a Subversion server. I need certain local users like apache to have write access to the repository files. But I also need my LDAP users to be able to write to them.
Can you create a central Apache user and put him into the proper groups?
I was thinking of creating a local group in /etc/group, containing the local users. Then I'd create a group on the LDAP server with the same name and numeric ID, containing the LDAP users. The repository files would then be assigned to that group, so they're writable by both sets of users. Is that a bad idea?
Thanks, Jacob _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Aug 08, 2014 at 02:34:48PM -0400, Dmitri Pal wrote:
On 08/08/2014 01:45 PM, Jacob Weber wrote:
Is it possible to merge a group that's defined locally with one defined on an LDAP server?
I'm running a Subversion server. I need certain local users like apache to have write access to the repository files. But I also need my LDAP users to be able to write to them.
Can you create a central Apache user and put him into the proper groups?
Alternatively, if you're concerned about filesystem access only, can you use getfacl/setfacl instead of group permissions?
sssd-users@lists.fedorahosted.org