Antw: Re: temporarily removing a group object in SLES11

["Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>]

>>> "Michael StrÃder" <michael@stroeder.com> schrieb am 16.10.2013 um 11:46 in
Nachricht <f41ace7c732bbe79d3dcf04d72d9709a@srv1.stroeder.com>:
> On Wed, 16 Oct 2013 11:19:07 +0200 "Ulrich Windl"
> <Ulrich.Windl@rz.uni-regensburg.de> wrote
>> I realized that in SLES11 SP2 the YaST user management module does recreate

> a
>> group (instead of modifying it) when you add a user to the particular
group.
>> I wonder what the consequences could be (despite of the unnecessary deltas
>> being created). Did anybody else notice this, or even had some negative
>> experience caused by that, escpecially for groups with many members?
> 
> If yast2 is really deletes/adds the whole group entry or even all the 
> 'member'
> values I'd simply recommend to use decent LDAP admin tools.

The EntryUUID changes, that says all, right ;-)

> 
> Obviously it does not scale for large group entries and even could cause 
> some
> security headache regarding concurrent group administration.
> 
> IIRC a very early version of MMC in W2K also rewrote all 'member'
> values...don't remember the CVE though.
> 
> Ciao, Michael.