Hesiod makes a crappy group database

[broder]

Anyone who's involved in more than 2 crusty student groups starts getting punted from groups in Hesiod, and Murphy dictates that you get punted from the groups you want to key on for ACLs.

We should figure out something else to use as a group database (LDAP?), or what needs to be modified to make something else usable as a group database.

[jdreed]

From athena10[1715]:

I talked with Richard Edelson about this at the end of IAP. He said that as far as he knew, the LDAP servers definitely knew about moira GIDs, so it was probably a matter of just figuring out how to do it. So the next step is that some debathena-dev folks should find a time to sit down with Richard (and possibly a few other people) and hash out what Debathena needs and how we can get it. Bill and/or I can probably help with facilitating this meeting.

[broder]

I finally took a stab at the LDAP configuration. Here's what I have so far to add to /etc/ldap.conf:

host ldap-dev-1.mit.edu
ssl on
base dc=mit,dc=edu

pam_member_attribute member
nss_base_passwd ou=users,ou=moira,?one
nss_base_group ou=lists,ou=moira,?one
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member

It doesn't quite work, because nss_ldap tries to use a memberUid field in addition to the member field when querying group membership, and ldap-dev-1.mit.edu seems to reject any queries that include memberUid. I've e-mailed mark to ask if he can change that configuration.