Re: What will happen if a user is a member of a group, but has another group as its primary group

[Dan White <dwhite@olp.net>]

On 08/01/12 10:00 -0500, Dan White wrote:
> On 08/01/12 22:21 +0800, Qian Zhang wrote:
> > In my OpenLDAP server, it is possible to set a user as a member of a
> > group, but it has another group as its primary group (I am using "LDAP
> > Admin" as LDAP client tool). For example, in group1, I can see user1
> > as its "memberUid" attribute, but the "gidNumber" attribute of user1
> > is group2.
>
> Yes. That's known to work.

> Be aware that installing an nss ldap plugin to resolve group membership
> *can* be very resource intensive, since each call to getgrouplist(3), such
> as when ssh'ing into the host, can result in your entire ldap group OU
> being iterated over. Appropriate indexing and caching is critical.

On 08/01/12 23:53 +0800, Qian Zhang wrote:
> Basically, I also have concern about the performance. Because in that
> case, when figuring out how many users in a group, I need to not only
> consider the group's membership (memberUID) attribute, but also user's
> gidNumber attribute (I am trying to write a Java application talk to
> my OpenLDAP server with JNDI).

Right.

> So I tentatively want to ignore that case, and only reply on group's
> membership (memberUID) attribute to determine group membership, but I
> am not sure if this is acceptable in general. Hope you can give me
> some advise :-)

If your applications use getgrouplist(3), then you can't just ignore the
gidNumber (see the manpage for details) from the passwd database, but you
could change the gidNumber to match the secondary group if you're not
concerned about the default gidNumber.

If your applications are PAM aware, then you have more flexibility in how
your users are authenticated, and may not need to depend on an ldap nss
configuration and the gidNumber attribute.

--
Dan White