[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: temporarily removing a group object in SLES11

To: <openldap-technical@openldap.org>, "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Subject: Re: temporarily removing a group object in SLES11
From: "Michael StrÃder" <michael@stroeder.com>
Date: Wed, 16 Oct 2013 11:46:35 +0200
In-reply-to: <525E762B020000A100012C37@gwsmtp1.uni-regensburg.de>
References: <525E762B020000A100012C37@gwsmtp1.uni-regensburg.de>

On Wed, 16 Oct 2013 11:19:07 +0200 "Ulrich Windl"
<Ulrich.Windl@rz.uni-regensburg.de> wrote
> I realized that in SLES11 SP2 the YaST user management module does recreate a
> group (instead of modifying it) when you add a user to the particular group.
> I wonder what the consequences could be (despite of the unnecessary deltas
> being created). Did anybody else notice this, or even had some negative
> experience caused by that, escpecially for groups with many members?

If yast2 is really deletes/adds the whole group entry or even all the 'member'
values I'd simply recommend to use decent LDAP admin tools.

Obviously it does not scale for large group entries and even could cause some
security headache regarding concurrent group administration.

IIRC a very early version of MMC in W2K also rewrote all 'member'
values...don't remember the CVE though.

Ciao, Michael.

Follow-Ups:
- Antw: Re: temporarily removing a group object in SLES11
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

References:
- temporarily removing a group object in SLES11
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: temporarily removing a group object in SLES11
Next by Date: Antw: Re: temporarily removing a group object in SLES11
Index(es):
- Chronological
- Thread