Add SSSD example configuration #896
Conversation
| You must also manually set the above attributes for each user, eg. for user `admin` with `uidnumber` 2000 and `gidnumber` 2000: | ||
| ```bash | ||
| lldap-cli user update set admin uidnumber 2000 | ||
| lldap-cli user update set admin gidnumber 2000 |
There was a problem hiding this comment.
Shouldn't it be lldap_admin and group? Do users need a gidNumber?
There was a problem hiding this comment.
Well now I’m wondering, but I’m pretty sure user needs gidNumber as well. Going to check that once I’m able to setup a test environment.
There was a problem hiding this comment.
Yeah, I just checked, every user needs a gid for their primary group. A common strategy is to have a group per user so they don't accidentally share files by making them group-readable. I'm not sure it's a good idea here, though (you probably don't want to create an LDAP group per user).
It doesn't matter (yet) since you assign the gid by hand, but it's something to think about. Maybe you should have a note about this? Something about setting the default file mask to 700 if you don't want every user to be able to read your files.
There was a problem hiding this comment.
Well, what I did was one common group (gid 2000) which is also a primary group for every user. This was desired in my case, at my LDAP instance is for a team of people performing common tasks and are sharing the files (that's why I also hardcoded the default home directory). I also handle creation and setting permissions for the home directory separately (in a configuration script).
There was a problem hiding this comment.
Yeah, I still think it's worth pointing out that this is a design decision that the user needs to make, and to explain the two options (one group per user, or one shared group), as well as the default file mask.
No description provided.