Re: posixGroup integrated with linux via nss

[Da Rock <rock_on_the_web@comcen.com.au>]

On Thu, 2009-04-02 at 13:53 -0700, Howard Chu wrote:
> Scott Classen wrote:
> > I have a happily running LDAP installation (2.4.15) running on Fedora 8
> > with numerous other linux machines using it as a source of authentication
> > and name services.
> >
> > I have a problem with group permissions. Most of my groups have less than
> > 10 members, but I have a few super users that need to belong to many groups
> > (100-200) so that they can help individual users process their data. I can
> > easily add the super users to each group using ldapmodify or GQ, and when I
> > type "groups" or "id" in a terminal window as the super user I see that
> > they belong to all the groups. The problem come when I try to read the
> > contents of a directory that is owned by one of these secondary groups.
> > Maybe its a Fedora/Linux thing, but the super user only has read
> > permissions for the first 16 groups. The super user can not do an "ls -la
> > /home/userwhoisin17thgroup"
> >
> > What is up with that?
> 
> That's a kernel limitation, any process can only belong to up to 16 secondary 
> groups.
> 
> > Also  can anyone recommend another way to achieve the one user/many groups
> > scenario using LDAP?
> 
> This doesn't seem to be an LDAP-specific question.

You really need to reconsider how you divide up your
network/organisation. You need to remain within the limitations of the
kernel, and maybe think outside the box- find where the intersections
between groups lie and build on that, make it more efficient.

It sux, but its necessary.