My question is not strictly an LDAP one, but perhaps somebody here with experience in the LDAP and Linux worlds can throw some light on it. I understand how to map attributes, as defined in an LDAP server, to other attributes in a Linux when the NSS framework is used in the latter. Is it possible to map values of attributes? Let's say I have an OpenLDAP server that defines a certain group with a gid number 10000. Would it be possible to map that 10000 to (say) 5000 in the Linux system? That is, every time an operation is executed in the Linux system that uses the group information, the gid would be retrieved from the OpenLDAP server as 10000, and automatically be converted to 5000. Can this be done?
At Tue, 23 Jul 2019 18:00:51 +0000 (UTC) JC lovecraftesque@yahoo.com wrote:
My question is not strictly an LDAP one, but perhaps somebody here with experience in the LDAP and Linux worlds can throw some light on it. I understand how to map attributes, as defined in an LDAP server, to other attributes in a Linux when the NSS framework is used in the latter. Is it possible to map values of attributes? Let's say I have an OpenLDAP server that defines a certain group with a gid number 10000. Would it be possible to map that 10000 to (say)Â 5000 in the Linux system? That is, every time an operation is executed in the Linux system that uses the group information, the gid would be retrieved from the OpenLDAP server as 10000, and automatically be converted to 5000. Can this be done?
I am not sure I understand the point of this. The "numbers" are only of interest to the machine. The usual thing is to map some human meaningful symbol (eg the accounting department) to some number used by the computers -- eg the group accounting would have some number, say 5000. *Humans* would see "accounting" but internally the computers would see 5000 -- the LDAP server or the /etc/group file would have a mapping from "accounting" and 5000. So long as each group has some unique (internal) number, why would you need or want to map different *numbers* to other *numbers*? Unless you have two systems using *different* numbers for the same logical group. Then you have a different set of problems. My thought would be to change things so that all of the systems agree on the *numbers*, probably by doing a global search and replace (probably using some sort of script).
On 7/23/19 11:01 PM, Robert Heller wrote:
At Tue, 23 Jul 2019 18:00:51 +0000 (UTC) JC lovecraftesque@yahoo.com wrote:
My question is not strictly an LDAP one, but perhaps somebody here with experience in the LDAP and Linux worlds can throw some light on it. I understand how to map attributes, as defined in an LDAP server, to other attributes in a Linux when the NSS framework is used in the latter. Is it possible to map values of attributes? Let's say I have an OpenLDAP server that defines a certain group with a gid number 10000. Would it be possible to map that 10000 to (say) 5000 in the Linux system? That is, every time an operation is executed in the Linux system that uses the group information, the gid would be retrieved from the OpenLDAP server as 10000, and automatically be converted to 5000. Can this be done?
I am not sure I understand the point of this. The "numbers" are only of interest to the machine. The usual thing is to map some human meaningful symbol (eg the accounting department) to some number used by the computers
I think the original poster wants to have real POSIX ID mapping. This typically happens after company mergers where one does not want to change all ownership in the file systems.
If one wants to have ID mapping within slapd one has to develop an overlay for that.
Not sure whether DBIS is still actively developed.
https://ldapcon.org/2015/accepted-papers/dbis-directory-based-information-se...
https://sourceforge.net/p/dbis/wiki/Home/
With DBIS the ID mapping is done in a special NSS client.
Ciao, Michael.
Michael Ströder michael@stroeder.com schrieb am 24.07.2019 um 00:21 in
Nachricht fdf940df-1439-aa06-933a-708a9567567b@stroeder.com:
On 7/23/19 11:01 PM, Robert Heller wrote:
At Tue, 23 Jul 2019 18:00:51 +0000 (UTC) JC lovecraftesque@yahoo.com
wrote:
My question is not strictly an LDAP one, but perhaps somebody here with experience in the LDAP and Linux worlds can throw some light on it. I understand how to map attributes, as defined in an LDAP server, to
other
attributes in a Linux when the NSS framework is used in the latter. Is it possible to map values of attributes? Let's say I have an OpenLDAP server that defines a certain group with a gid number 10000. Would it be
possible
to map that 10000 to (say) 5000 in the Linux system? That is, every
time
an operation is executed in the Linux system that uses the group information, the gid would be retrieved from the OpenLDAP server as
10000,
and automatically be converted to 5000. Can this be done?
I am not sure I understand the point of this. The "numbers" are only of interest to the machine. The usual thing is to map some human meaningful symbol (eg the accounting department) to some number used by the computers
I think the original poster wants to have real POSIX ID mapping. This typically happens after company mergers where one does not want to change all ownership in the file systems.
I also understand the motivation: If you have a big directory that is significantly older than the software yo are using now, you may run into problems. For example in former times UNIX started to allocate user IDs starting from 100. If you had UIDs like that in the directory, it would create conflicts with modern UNIX systems, where system accounts use such UIDs. And you can never be sure how those UIDs are used on different systems, so you can't just globally "upgrade" them...
Still what's unclear:
Was the question more like "s/5000/10000/" (and back), or was it more like "GIG_local = GID_global - 5000" (and reverse)?
If one wants to have ID mapping within slapd one has to develop an overlay for that.
Not sure whether DBIS is still actively developed.
https://ldapcon.org/2015/accepted-papers/dbis-directory-based-information-se
rvices/
https://sourceforge.net/p/dbis/wiki/Home/
With DBIS the ID mapping is done in a special NSS client.
Ciao, Michael.
On 7/24/19 8:20 AM, Ulrich Windl wrote:
Still what's unclear: Was the question more like "s/5000/10000/" (and back), or was it more like "GIG_local = GID_global - 5000" (and reverse)?
I'm not the original poster.
But let's assume you have GIG 5000 in your file system as group ownership but this does not exist in your directory. Now when accessing the file the system has to know which users are members of the group referenced by GID 5000.
Let's further assume that you have a posixGroup entry with gidNumber=10000 in your directory which has the required member set for your access control needs based on GID 5000. So you might want to let the NSS client see this posixGroup and its members as having gidNumber=5000 (kind of a different ID view).
There are more complicated use-cases like conflicting ID ranges after company merger. This is was DBIS addresses by implementing a custom schema and custom NSS client.
Anyway, I'd rather recommend to bite the bullet and clean up the ID mess, no matter how hard it looks like. Because if you don't then you'll pile up a huge mess of technical depths nobody can really control. And that's a real security issue.
Ciao, Michael.
openldap-technical@openldap.org
-
JC -
Michael Ströder -
Robert Heller -
Ulrich Windl