openldap group issue on centos 5.5 - all users automatically get put into newly created group
Hi,
I created a dit on a Centos 6.5 box that looks something like this:
........dc=name,dc=com................................ | | | | | | ou=users ou=systems........... ou=policies | | | | | | | | user1 cn=group1 cn=group2 cn=ppolicy user2 | | user3 | | | | user1 user2 user2 user3
I created my users, and I added sever "linux groups" using the ldif file:
dn: cn=dev,ou=systems,dc=ehs,dc=edu cn: dev gidNumber: 4005 objectClass: posixGroup
My goal was to simulate an entry that you'd find in the /etc/group file on a linux system. So if I added people to this group using the ldif file:
dn: cn=dev,ou=systems,dc=ehs,dc=edu changetype: modify add: memberuid memberuid: user1 memberuid: user2
So while user1 and user2 are in the default group "users", I wanted them to be able to change the group on their files to "dev" in order to protect their development files.
Now, this seemed to work, and when I went on my client and did a command "groups user1", I saw "users" and "dev"
However yesterday I added another group called "team0" with gid 22222 using the following ldif file:
dn: cn=team0,ou=systems,dc=ehs,dc=edu cn: team0 gidNumber: 22222 objectClass: posixGroup
When I was logged into my client machine (Centos 5.5 box) and did a groups on an old user, it showed "users", "dev" and now "team0" although I never added that user to the new group.
I cleaned the client cache using the nscd -i invalidate=group command, and then I removed all the cached directories in /var/db/nscd, and rebooted, but that new group seems to have been applied to everyone.
I might have screwed up the creation of my DIT, but I was thinking that things were working ok since I could added "unix groups" that are visible with the "getent group" command on a client, I could add users into these groups and changed the group of files to lock out some users, but I don't understand this behavior now.
I have about 6 groups defined and the last one I created yesterday is the only one that seems to get applied to all users.
I'd appreciate any help you could give.... I'm scratching my head on this one.
Thanks.
Janet Houser wrote:
However yesterday I added another group called "team0" with gid 22222 using the following ldif file:
dn: cn=team0,ou=systems,dc=ehs,dc=edu cn: team0 gidNumber: 22222 objectClass: posixGroup
When I was logged into my client machine (Centos 5.5 box) and did a groups on an old user, it showed "users", "dev" and now "team0" although I never added that user to the new group.
What is the gidNumber value (primary group) of the old user entry?
Ciao, Michael.
Hi Michael,
Thank you for trying to help me with my problem. It's sincerely appreciated.
All the users were created with the default gid of 9999, which was the default "users" group. I have other groups on the system, and these other groups don't show up in the "groups <username>" command.
I'm puzzled. I ran into something similar a long time ago because nscd cached old information, so I disabled the service on the centos 5.5 box.
thanks.
- a confused linux monkey... :-)
Janet Houser wrote:
However yesterday I added another group called "team0" with gid 22222 using the following ldif file:
dn: cn=team0,ou=systems,dc=ehs,dc=edu cn: team0 gidNumber: 22222 objectClass: posixGroup
When I was logged into my client machine (Centos 5.5 box) and did a groups on an old user, it showed "users", "dev" and now "team0" although I never added that user to the new group.
What is the gidNumber value (primary group) of the old user entry?
Ciao, Michael.
openldap-technical@openldap.org
-
Janet Houser -
Michael Ströder