Hello
I was wondering if
anyone knows of or has designed their own solution to the following
problem and could possibly help us.
We are interested
in extending the use of our Active Directory so it can be used to control
access to resources from Linux and Solaris clients. This already happens
to some extent but a problem is
preventing a bigger take up of this facility. We currently use SFU 3.5 and the
problem we have is that when AD security groups are created no GID is
automatically assigned to the new group. For user accounts this isn't an issue because one department (my own) creates
all the user accounts for the entire University. We can therefore assign UIDs
centrally at the point of the account creation from our
meta-directory. However the ability to create and manage AD groups is
devolved to local IT support staff (of which there are many). We need a way to
populate the GID attribute with a unique value whenever a group is created.
We also need a way to ensure that this GID cannot be modified even by
those who have rights to manage the group itself. Our current thinking is to
schedule a task which looks for groups without GIDs, extracts the RID from the
group's SID and then write this into the appropriate SFU
attribute.
I'd be interested
to hear from any Universities that have tried something like this or have found
other ways to achieve the same result.
Thanks
Nigel
Nigel
Bruce
Service Group
Leader
Information Systems
Services
University of Leeds
LEEDS, LS2 9JT
Tel. 0113
343 5384