Re: posixGroup integrated with linux via nss

[Howard Chu <hyc@symas.com>]

Scott Classen wrote:
> I have a happily running LDAP installation (2.4.15) running on Fedora 8
> with numerous other linux machines using it as a source of authentication
> and name services.
>
> I have a problem with group permissions. Most of my groups have less than
> 10 members, but I have a few super users that need to belong to many groups
> (100-200) so that they can help individual users process their data. I can
> easily add the super users to each group using ldapmodify or GQ, and when I
> type "groups" or "id" in a terminal window as the super user I see that
> they belong to all the groups. The problem come when I try to read the
> contents of a directory that is owned by one of these secondary groups.
> Maybe its a Fedora/Linux thing, but the super user only has read
> permissions for the first 16 groups. The super user can not do an "ls -la
> /home/userwhoisin17thgroup"
>
> What is up with that?

That's a kernel limitation, any process can only belong to up to 16 secondary 
groups.

> Also  can anyone recommend another way to achieve the one user/many groups
> scenario using LDAP?

This doesn't seem to be an LDAP-specific question.
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/