Groups

Unix

This module is used to manage Unix group entries. This is the default module to manage Unix groups and uses the nis.schema. Suse users who use the rfc2307bis.schema need to use LAM Pro.

Configuration

GID generator: LAM will suggest GID numbers for your accounts. Please note that it may happen that there are duplicate IDs assigned if users create groups at the same time. Use an overlay like "Attribute Uniqueness" if you have lots of LAM admins creating groups.

  • Fixed range: LAM searches for free numbers within the given limits. LAM always tries to use a free GID that is greater than the existing GIDs to prevent collisions with deleted groups.

  • Samba ID pool: This uses a special LDAP entry that includes attributes that store a counter for the last used UID/GID. Please note that this requires that you install the Samba schema and create an LDAP entry of object class "sambaUnixIdPool".

Group management:

Group membership management:

Unix groups with rfc2307bis schema (LAM Pro)

Some applications (e.g. Suse Linux) use the rfc2307bis schema for Unix accounts instead of the nis schema. In this case group accounts are based on the object class groupOf(Unique)Names or namedObject. The object class posixGroup is auxiliary in this case.

LAM Pro supports these groups with a special account module: rfc2307bisPosixGroup

Use this module only if your system depends on the rfc2307bis schema. The module can be selected in the LAM configuration. Instead of using groupOfNames as basis for your groups you may also use namedObject.

Samba 3

LAM supports managing Samba 3 groups. You can set special group types and also create Windows predefined groups like "Domain admins".

Windows (Samba 4)

LAM can manage your Windows groups. Please enable the account type "Groups" in your LAM server profile and then add the group module "Windows (windowsGroup)(*)".

The default list attributes are for Unix and not suitable for Windows (blank lines in account table). Please use "#cn;#member;#description" or select your own attributes to display in the account list.

Now you can edit your groups inside LAM. You can manage the group name, description and its type. Of course, you can also set the group members.

Group scopes:

  • Global: Use this for groups with frequent changes. Global groups are not replicated to other domains.

  • Universal: Groups with universal scope are used to consolidate groups that span domains. They are globally replicated.

  • Domain local: Groups with domain local scope can be used to set permissions inside one domain. They are not replicated to other domains.

Group type:

  • Security: Use this group type to control permissions.

  • Distribution: These groups are only used for email applications. They cannot be used to control permissions.

Quota

You can manage file system quotas with LAM. This requires to setup lamdaemon. File system quotas are not stored inside LAM but managed directly on the specified servers.