On Wed, 22.08.2007 at 10:28:40 +0200, Patrick M. Hausen wrote: > On Wed, Aug 22, 2007 at 09:53:42AM +0200, Ulrich Spoerlein wrote: > > On 8/22/07, Chuck Swiger <[EMAIL PROTECTED]> wrote: > > > On Aug 21, 2007, at 2:02 PM, Richard Foulkes wrote: > > > > Ok, so how are you supposed to control membership of the wheel > > > > group via ldap? Ok, you COULD remove the local wheel entry in /etc/ > > > > group, but this would probably be a bad idea if the ldap server > > > > were unavailable. > > > > > > You've aptly summarized my thoughts on the matter-- I would not rely > > > on LDAP to provide information about root or the wheel group. > > > > That is exactly the gist of my question. Of course I know that a group > > oneliner is the way to go. However, I saw people suggest splitting > > groups into multiple lines, if the lines are too long or too many > > groups per line (something to do with the /etc/group parser, I guess). > > > > Anyway, I want the LDAP groups to *augment* system groups. Removing > > wheel from /etc/group and relying on a complex network service .... > > not funny. > > We do not use LDAP yet, but have been using NIS in our internal > office network for years. If you use the magic "+" token to merge > your NIS database with the static files for passwd and group > information, then
I'm not using the compat setting, my nsswitch.conf contains passwd: files ldap group: files ldap > _if_ the group entry in the static file does not contain any users > _then_ the information from NIS is merged in > > So you can keep a "wheel" group around as the _primary_ group > for root, toor, whatnot ... and all the additional members > that have "wheel" as an auxiliary group come from NIS. > > Possibly this works for LDAP, too? IMHO at least it should ;-)) THANK YOU! It is indeed working for LDAP too. But it fails for sudo(8). Luckily I could replace the %wheel directive with a few user id directives. It's still a shortcoming of some sort and I guess I'll file a PR if noone else has any more information on the issue. getent group now has the following wheel entries % getent group|grep wheel wheel:*:0 wheel:*:0:us,root As I said, su(1) is happy, sudo(8) not yet. Cheers, Ulrich Spoerlein -- It is better to remain silent and be thought a fool, than to speak, and remove all doubt. _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"