Grouper Users - Open Discussion List

[Paul Engle <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --On Wednesday, July 02, 2008 5:14 PM -0500 Tom Barton 
<>
 wrote:

> Something like that. You'll need to consider how to arrange those of your 
> grouper groups that are posixGroups in coordination with how you will 
> select them with the ldappc instance that provisions posix groups.


I've been wrestling with that same issue for our implementation. It's all 
purely thought-experiment at this stage, since I can't manage to carve out 
enough time to actually work on grouper, but here's what I was considering 
doing for our purposes.

My idea is to have a separate top-level stem to contain the posixGroup 
definitions. Only the sysadmins have access rights to this stem. The groups 
in this stem all have a custom attribute for the gidNumber just as Tom has 
described. The membership of the group is just a single group out in the 
'public' stem areas--one which potentially anyone could have edit rights to.

That way, the membership management is kept in one place, maintained by those 
who are best in a position to know who it should be. But there's no danger of 
name or gid collisions on the unix side, because that's all maintained in the 
posix-group stem.

As I said, we haven't actually implemented this, but I've given in a good bit 
of thought on and off. This is the best solution I could come up with.

Any suggestions for improvement or examples of how others are managing the 
posixGroup information within grouper is welcome.

  -paul


- -- 
Paul D. Engle                       | Rice University
Sr. Systems Adminstrator, RHCE      | Information Technology - MS119
713-348-4702                        | PO Box 1892

                     | Houston, TX 77251-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIbORvCpkISWtyHNsRAgk8AKChswosHZy9lA4WUqi1TPbB8jJRvACeMkYJ
bnc3n4shy0QOxKQ6IVKbi4A=
=FXef
-----END PGP SIGNATURE-----