pam_group vs. multiple group lines
Ulrich Spoerlein
uspoerlein at gmail.com
Wed Aug 22 01:19:22 PDT 2007
On 8/22/07, Chuck Swiger <cswiger at mac.com> wrote:
> On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote:
> > Ok, so how are you supposed to control membership of the wheel
> > group via ldap? Ok, you COULD remove the local wheel entry in /etc/
> > group, but this would probably be a bad idea if the ldap server
> > were unavailable.
>
> You've aptly summarized my thoughts on the matter-- I would not rely
> on LDAP to provide information about root or the wheel group.
That is exactly the gist of my question. Of course I know that a group
oneliner is the way to go. However, I saw people suggest splitting
groups into multiple lines, if the lines are too long or too many
groups per line (something to do with the /etc/group parser, I guess).
Anyway, I want the LDAP groups to *augment* system groups. Removing
wheel from /etc/group and relying on a complex network service ....
not funny.
Besides, it *does* work for file permissions etc. so some basic system
calls *do* get this right.
Uli
More information about the freebsd-stable
mailing list