[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: posixGroup integrated with linux via nss



Scott Classen wrote:
I have a happily running LDAP installation (2.4.15) running on Fedora 8
with numerous other linux machines using it as a source of authentication
and name services.

I have a problem with group permissions. Most of my groups have less than
10 members, but I have a few super users that need to belong to many groups
(100-200) so that they can help individual users process their data. I can
easily add the super users to each group using ldapmodify or GQ, and when I
type "groups" or "id" in a terminal window as the super user I see that
they belong to all the groups. The problem come when I try to read the
contents of a directory that is owned by one of these secondary groups.
Maybe its a Fedora/Linux thing, but the super user only has read
permissions for the first 16 groups. The super user can not do an "ls -la
/home/userwhoisin17thgroup"

What is up with that?

That's a kernel limitation, any process can only belong to up to 16 secondary groups.

Also  can anyone recommend another way to achieve the one user/many groups
scenario using LDAP?

This doesn't seem to be an LDAP-specific question.
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/