[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What will happen if a user is a member of a group, but has another group as its primary group

On 08/01/12 10:00 -0500, Dan White wrote:
On 08/01/12 22:21 +0800, Qian Zhang wrote:

In my OpenLDAP server, it is possible to set a user as a member of a
group, but it has another group as its primary group (I am using "LDAP
Admin" as LDAP client tool). For example, in group1, I can see user1
as its "memberUid" attribute, but the "gidNumber" attribute of user1
is group2.

Yes. That's known to work.

Be aware that installing an nss ldap plugin to resolve group membership
*can* be very resource intensive, since each call to getgrouplist(3), such
as when ssh'ing into the host, can result in your entire ldap group OU
being iterated over. Appropriate indexing and caching is critical.

On 08/01/12 23:53 +0800, Qian Zhang wrote:
Basically, I also have concern about the performance. Because in that
case, when figuring out how many users in a group, I need to not only
consider the group's membership (memberUID) attribute, but also user's
gidNumber attribute (I am trying to write a Java application talk to
my OpenLDAP server with JNDI).


So I tentatively want to ignore that case, and only reply on group's
membership (memberUID) attribute to determine group membership, but I
am not sure if this is acceptable in general. Hope you can give me
some advise :-)

If your applications use getgrouplist(3), then you can't just ignore the
gidNumber (see the manpage for details) from the passwd database, but you
could change the gidNumber to match the secondary group if you're not
concerned about the default gidNumber.

If your applications are PAM aware, then you have more flexibility in how
your users are authenticated, and may not need to depend on an ldap nss
configuration and the gidNumber attribute.

Dan White