I have a happily running LDAP installation (2.4.15) running on Fedora 8 with numerous other linux machines using it as a source of authentication and name services.
I have a problem with group permissions. Most of my groups have less than 10 members, but I have a few super users that need to belong to many groups (100-200) so that they can help individual users process their data. I can easily add the super users to each group using ldapmodify or GQ, and when I type "groups" or "id" in a terminal window as the super user I see that they belong to all the groups. The problem come when I try to read the contents of a directory that is owned by one of these secondary groups. Maybe its a Fedora/Linux thing, but the super user only has read permissions for the first 16 groups. The super user can not do an "ls -la /home/userwhoisin17thgroup"
What is up with that?
Also can anyone recommend another way to achieve the one user/many groups scenario using LDAP?
Thanks, Scott
Scott Classen wrote:
I have a happily running LDAP installation (2.4.15) running on Fedora 8 with numerous other linux machines using it as a source of authentication and name services.
I have a problem with group permissions. Most of my groups have less than 10 members, but I have a few super users that need to belong to many groups (100-200) so that they can help individual users process their data. I can easily add the super users to each group using ldapmodify or GQ, and when I type "groups" or "id" in a terminal window as the super user I see that they belong to all the groups. The problem come when I try to read the contents of a directory that is owned by one of these secondary groups. Maybe its a Fedora/Linux thing, but the super user only has read permissions for the first 16 groups. The super user can not do an "ls -la /home/userwhoisin17thgroup"
What is up with that?
That's a kernel limitation, any process can only belong to up to 16 secondary groups.
Also can anyone recommend another way to achieve the one user/many groups scenario using LDAP?
This doesn't seem to be an LDAP-specific question.
On Thu, 2009-04-02 at 13:53 -0700, Howard Chu wrote:
Scott Classen wrote:
I have a happily running LDAP installation (2.4.15) running on Fedora 8 with numerous other linux machines using it as a source of authentication and name services.
I have a problem with group permissions. Most of my groups have less than 10 members, but I have a few super users that need to belong to many groups (100-200) so that they can help individual users process their data. I can easily add the super users to each group using ldapmodify or GQ, and when I type "groups" or "id" in a terminal window as the super user I see that they belong to all the groups. The problem come when I try to read the contents of a directory that is owned by one of these secondary groups. Maybe its a Fedora/Linux thing, but the super user only has read permissions for the first 16 groups. The super user can not do an "ls -la /home/userwhoisin17thgroup"
What is up with that?
That's a kernel limitation, any process can only belong to up to 16 secondary groups.
Also can anyone recommend another way to achieve the one user/many groups scenario using LDAP?
This doesn't seem to be an LDAP-specific question.
You really need to reconsider how you divide up your network/organisation. You need to remain within the limitations of the kernel, and maybe think outside the box- find where the intersections between groups lie and build on that, make it more efficient.
It sux, but its necessary.
openldap-technical@openldap.org