[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: Re: Mapping gid numbers

To: <michael@stroeder.com>
Subject: Antw: Re: Mapping gid numbers
From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>
Date: Wed, 24 Jul 2019 08:20:26 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <fdf940df-1439-aa06-933a-708a9567567b@stroeder.com>
References: <38792494.5599046.1563904851503.ref@mail.yahoo.com> <38792494.5599046.1563904851503@mail.yahoo.com> <20190723210139.AD2C926C016A@sharky3.deepsoft.com> <fdf940df-1439-aa06-933a-708a9567567b@stroeder.com>

>>> Michael Ströder <michael@stroeder.com> schrieb am 24.07.2019 um 00:21 in
Nachricht <fdf940df-1439-aa06-933a-708a9567567b@stroeder.com>:
> On 7/23/19 11:01 PM, Robert Heller wrote:
>> At Tue, 23 Jul 2019 18:00:51 +0000 (UTC) JC <lovecraftesque@yahoo.com>
wrote:
>>> My question is not strictly an LDAP one, but perhaps somebody here with
>>> experience in the LDAP and Linux worlds can throw some light on it.
>>> I understand how to map attributes, as defined in an LDAP server, to
other
>>> attributes in a Linux when the NSS framework is used in the latter. Is it
>>> possible to map values of attributes? Let's say I have an OpenLDAP server
>>> that defines a certain group with a gid number 10000. Would it be
possible
>>> to map that 10000 to (say)Ã‚Â  5000 in the Linux system? That is, every
time
>>> an operation is executed in the Linux system that uses the group
>>> information, the gid would be retrieved from the OpenLDAP server as
10000,
>>> and automatically be converted to 5000. Can this be done?
>> 
>> I am not sure I understand the point of this.  The "numbers" are only of
>> interest to the machine.  The usual thing is to map some human meaningful
>> symbol (eg the accounting department) to some number used by the computers
> 
> I think the original poster wants to have real POSIX ID mapping. This 
> typically happens after company mergers where one does not want to 
> change all ownership in the file systems.

I also understand the motivation: If you have a big directory that is
significantly older than the software yo are using now, you may run into
problems. For example in former times UNIX started to allocate user IDs
starting from 100. If you had UIDs like that in the directory, it would create
conflicts with modern UNIX systems, where system accounts use such UIDs. And
you can never be sure how those UIDs are used on different systems, so you
can't just globally "upgrade" them...

Still what's unclear:

Was the question more like "s/5000/10000/" (and back), or was it more like
"GIG_local = GID_global - 5000" (and reverse)?

> 
> If one wants to have ID mapping within slapd one has to develop an 
> overlay for that.
> 
> Not sure whether DBIS is still actively developed.
> 
> https://ldapcon.org/2015/accepted-papers/dbis-directory-based-information-se

> rvices/
> 
> https://sourceforge.net/p/dbis/wiki/Home/ 
> 
> With DBIS the ID mapping is done in a special NSS client.
> 
> Ciao, Michael.

Follow-Ups:
- Re: Mapping gid numbers
  - From: Michael Ströder <michael@stroeder.com>

References:
- Mapping gid numbers
  - From: JC <lovecraftesque@yahoo.com>
- Re: Mapping gid numbers
  - From: Robert Heller <heller@deepsoft.com>
- Re: Mapping gid numbers
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Mapping gid numbers
Next by Date: Re: Mapping gid numbers
Index(es):
- Chronological
- Thread