| 1 |
Hi Alec! |
| 2 |
|
| 3 |
Alec Warner писал 14-12-2015 01:23: |
| 4 |
> On Sun, Dec 13, 2015 at 10:03 AM, Alexey Shvetsov <alexxy@g.o> |
| 5 |
> wrote: |
| 6 |
> |
| 7 |
>> Hi all! |
| 8 |
>> |
| 9 |
>> We trying to use ldap for users @work, many of our workstations |
| 10 |
>> running binary gentoo based distro called Calculate linux. However |
| 11 |
>> if we wanna have wide use of ldap there is a need for determenistic |
| 12 |
>> system group gids names and user uids. |
| 13 |
>> |
| 14 |
>> Many ebuilds in tree uses enewgroup and enewuser with -1 (aka next |
| 15 |
>> available parameter)[1]. However it will be much better to set |
| 16 |
>> distro wide deterministic uid and gid for system service name. So |
| 17 |
>> for example ldap users may have determenistic groups like video, |
| 18 |
>> audio, plugdev, etc.. |
| 19 |
> |
| 20 |
> So the first question I normally ask here is: |
| 21 |
> |
| 22 |
> 1) Why do you need deterministic uid / gid's? |
| 23 |
|
| 24 |
for exmaple plugdev group may have random gid from range 10-1000+ (i |
| 25 |
have some systems when it have gid >1000) |
| 26 |
so if you're ldap user want to mount external drive on workstation you |
| 27 |
dont know what gid it should have.. |
| 28 |
|
| 29 |
> 2) If you do need deterministic uid / gid's, I would recommend storing |
| 30 |
> them all in the same place. |
| 31 |
> |
| 32 |
> For example, you typically want a deterministic UID for a user. To |
| 33 |
> accomplish this, you add that user to LDAP, give them a UID in LDAP, |
| 34 |
> and then either add LDAP to nssswitch or use something like nsscache |
| 35 |
> to sync the ldap UID's into the local system. |
| 36 |
> |
| 37 |
> 3) If you need deterministic GID's I would recommend storing them all |
| 38 |
> in LDAP and syncing the group memberships locally. |
| 39 |
|
| 40 |
Syncing groups localy is major design error if you have more then 10+ |
| 41 |
systems. |
| 42 |
|
| 43 |
> |
| 44 |
> I never understood why people would think the distro should handle |
| 45 |
> unique gid / uids. Plus you usually end up running: |
| 46 |
> |
| 47 |
> 1) More than one distro. |
| 48 |
|
| 49 |
Its not the case. Most time there only one 'supported' distro by local |
| 50 |
IT stuff. |
| 51 |
|
| 52 |
> 2) More than one 'flavor' of a single distro where for whatever |
| 53 |
> reason, uid and gid decisions differed (they renumbered, etc.) |
| 54 |
> |
| 55 |
> So if you want a consistent GID for a group, store the group name and |
| 56 |
> gid in ldap and sync it; do not rely on your distro to do it. IMHO |
| 57 |
> doing so is a design error. |
| 58 |
> |
| 59 |
> -A |
| 60 |
> |
| 61 |
>> [1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/" |
| 62 |
>> $2}' | grep -v eclass | sort -u | wc -l |
| 63 |
>> 443 |
| 64 |
>> So there not so much gid uids needed |
| 65 |
>> |
| 66 |
>> -- |
| 67 |
>> Best Regards, |
| 68 |
>> Alexey 'Alexxy' Shvetsov |
| 69 |
>> Best Regards, |
| 70 |
>> Alexey 'Alexxy' Shvetsov, PhD |
| 71 |
>> Department of Molecular and Radiation Biophysics |
| 72 |
>> FSBI Petersburg Nuclear Physics Institute, NRC Kurchatov Institute, |
| 73 |
>> Leningrad region, Gatchina, Russia |
| 74 |
>> Gentoo Team Ru |
| 75 |
>> Gentoo Linux Dev |
| 76 |
>> mailto:alexxyum@×××××.com |
| 77 |
>> mailto:alexxy@g.o |
| 78 |
>> mailto:alexxy@×××××××××××××.ru |
| 79 |
|
| 80 |
-- |
| 81 |
Best Regards, |
| 82 |
Alexey 'Alexxy' Shvetsov |
| 83 |
Best Regards, |
| 84 |
Alexey 'Alexxy' Shvetsov, PhD |
| 85 |
Department of Molecular and Radiation Biophysics |
| 86 |
FSBI Petersburg Nuclear Physics Institute, NRC Kurchatov Institute, |
| 87 |
Leningrad region, Gatchina, Russia |
| 88 |
Gentoo Team Ru |
| 89 |
Gentoo Linux Dev |
| 90 |
mailto:alexxyum@×××××.com |
| 91 |
mailto:alexxy@g.o |
| 92 |
mailto:alexxy@×××××××××××××.ru |
Archives