On Mon, 2004-02-23 at 13:34,
ispman-schema-admin-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@xxxxxxxxxxxxxxxx
wrote:
> Hi I was setting up the ispman server infrastructure and noticed that it
> may be helpful if that when creating a domain that the object class
> include posixGroup.
>
> The first thing that struck me that this is uselful is that if users do
> get shell access, when logging in though ssh there is no ldap result for
> searching for the groupname attribute.
>
> the ldap search performed when loggin in through ssh is
> Feb 23 16:28:01 unix slapd[1797]: conn=16901 op=1 SRCH base="o=ispman"
> scope=2 filter="(&(objectClass=posixGroup))"
>
> Would it be harmless to add posixGroup to the objectClass list for domains ?
Not entirely. The problem is that posixGroup is a structural
objectClass and there is already another structural, which violated
schema rules and will not work on OpenLDAP 2.1 and greater, which is
more restrictive and correct schema rules.
Wil
--
Wil Cooley
wcooley-fQpqOMgyT3kKlTDg6p0iyA@xxxxxxxxxxxxxxxx
Naked Ape Consulting http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
* Naked Ape Consulting http://nakedape.cc *
* Tired of spam and viruses in your e-mail? *
* Get the Naked Ape Mail Defender! http://nakedape.cc/r/md *
signature.asc
Description: This is a digitally signed message part
|
