Hi!
I realized that in SLES11 SP2 the YaST user management module does recreate a group (instead of modifying it) when you add a user to the particular group. I wonder what the consequences could be (despite of the unnecessary deltas being created). Did anybody else notice this, or even had some negative experience caused by that, escpecially for groups with many members?
Regards, Ulrich
On Wed, 16 Oct 2013 11:19:07 +0200 "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de wrote
I realized that in SLES11 SP2 the YaST user management module does recreate a group (instead of modifying it) when you add a user to the particular group. I wonder what the consequences could be (despite of the unnecessary deltas being created). Did anybody else notice this, or even had some negative experience caused by that, escpecially for groups with many members?
If yast2 is really deletes/adds the whole group entry or even all the 'member' values I'd simply recommend to use decent LDAP admin tools.
Obviously it does not scale for large group entries and even could cause some security headache regarding concurrent group administration.
IIRC a very early version of MMC in W2K also rewrote all 'member' values...don't remember the CVE though.
Ciao, Michael.
"Michael Ströder" michael@stroeder.com schrieb am 16.10.2013 um 11:46 in
Nachricht f41ace7c732bbe79d3dcf04d72d9709a@srv1.stroeder.com:
On Wed, 16 Oct 2013 11:19:07 +0200 "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de wrote
I realized that in SLES11 SP2 the YaST user management module does recreate
a
group (instead of modifying it) when you add a user to the particular
group.
I wonder what the consequences could be (despite of the unnecessary deltas being created). Did anybody else notice this, or even had some negative experience caused by that, escpecially for groups with many members?
If yast2 is really deletes/adds the whole group entry or even all the 'member' values I'd simply recommend to use decent LDAP admin tools.
The EntryUUID changes, that says all, right ;-)
Obviously it does not scale for large group entries and even could cause some security headache regarding concurrent group administration.
IIRC a very early version of MMC in W2K also rewrote all 'member' values...don't remember the CVE though.
Ciao, Michael.
On Wed, 16 Oct 2013 13:27:18 +0200 "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de wrote
"Michael Ströder" michael@stroeder.com schrieb am 16.10.2013 um 11:46 in Nachricht f41ace7c732bbe79d3dcf04d72d9709a@srv1.stroeder.com:
On Wed, 16 Oct 2013 11:19:07 +0200 "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de wrote
I realized that in SLES11 SP2 the YaST user management module does recreate
a
group (instead of modifying it) when you add a user to the particular
group.
I wonder what the consequences could be (despite of the unnecessary deltas being created). Did anybody else notice this, or even had some negative experience caused by that, escpecially for groups with many members?
If yast2 is really deletes/adds the whole group entry or even all the 'member' values I'd simply recommend to use decent LDAP admin tools.
The EntryUUID changes, that says all, right ;-)
Don't use it then.
Ciao, Michael.
openldap-technical@openldap.org