On 08/01/12 10:00 -0500, Dan White wrote:
On 08/01/12 22:21 +0800, Qian Zhang wrote:
In my OpenLDAP server, it is possible to set a user as a member of a group, but it has another group as its primary group (I am using "LDAP Admin" as LDAP client tool). For example, in group1, I can see user1 as its "memberUid" attribute, but the "gidNumber" attribute of user1 is group2.
Yes. That's known to work.
Be aware that installing an nss ldap plugin to resolve group membership *can* be very resource intensive, since each call to getgrouplist(3), such as when ssh'ing into the host, can result in your entire ldap group OU being iterated over. Appropriate indexing and caching is critical.
On 08/01/12 23:53 +0800, Qian Zhang wrote:
Basically, I also have concern about the performance. Because in that case, when figuring out how many users in a group, I need to not only consider the group's membership (memberUID) attribute, but also user's gidNumber attribute (I am trying to write a Java application talk to my OpenLDAP server with JNDI).
Right.
So I tentatively want to ignore that case, and only reply on group's membership (memberUID) attribute to determine group membership, but I am not sure if this is acceptable in general. Hope you can give me some advise :-)
If your applications use getgrouplist(3), then you can't just ignore the gidNumber (see the manpage for details) from the passwd database, but you could change the gidNumber to match the secondary group if you're not concerned about the default gidNumber.
If your applications are PAM aware, then you have more flexibility in how your users are authenticated, and may not need to depend on an ldap nss configuration and the gidNumber attribute.