New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSSD example configuration #896
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks already pretty nice!
You must also manually set the above attributes for each user, eg. for user `admin` with `uidnumber` 2000 and `gidnumber` 2000: | ||
```bash | ||
lldap-cli user update set admin uidnumber 2000 | ||
lldap-cli user update set admin gidnumber 2000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't it be lldap_admin
and group
? Do users need a gidNumber?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well now I’m wondering, but I’m pretty sure user needs gidNumber as well. Going to check that once I’m able to setup a test environment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I just checked, every user needs a gid for their primary group. A common strategy is to have a group per user so they don't accidentally share files by making them group-readable. I'm not sure it's a good idea here, though (you probably don't want to create an LDAP group per user).
It doesn't matter (yet) since you assign the gid by hand, but it's something to think about. Maybe you should have a note about this? Something about setting the default file mask to 700 if you don't want every user to be able to read your files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, what I did was one common group (gid 2000) which is also a primary group for every user. This was desired in my case, at my LDAP instance is for a team of people performing common tasks and are sharing the files (that's why I also hardcoded the default home directory). I also handle creation and setting permissions for the home directory separately (in a configuration script).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I still think it's worth pointing out that this is a design decision that the user needs to make, and to explain the two options (one group per user, or one shared group), as well as the default file mask.
No description provided.