| 1 |
On Sun, Dec 13, 2015 at 10:03 AM, Alexey Shvetsov <alexxy@g.o> wrote: |
| 2 |
|
| 3 |
> Hi all! |
| 4 |
> |
| 5 |
> We trying to use ldap for users @work, many of our workstations running |
| 6 |
> binary gentoo based distro called Calculate linux. However if we wanna have |
| 7 |
> wide use of ldap there is a need for determenistic system group gids names |
| 8 |
> and user uids. |
| 9 |
> |
| 10 |
> Many ebuilds in tree uses enewgroup and enewuser with -1 (aka next |
| 11 |
> available parameter)[1]. However it will be much better to set distro wide |
| 12 |
> deterministic uid and gid for system service name. So for example ldap |
| 13 |
> users may have determenistic groups like video, audio, plugdev, etc.. |
| 14 |
> |
| 15 |
|
| 16 |
So the first question I normally ask here is: |
| 17 |
|
| 18 |
1) Why do you need deterministic uid / gid's? |
| 19 |
2) If you do need deterministic uid / gid's, I would recommend storing them |
| 20 |
all in the same place. |
| 21 |
|
| 22 |
For example, you typically want a deterministic UID for a user. To |
| 23 |
accomplish this, you add that user to LDAP, give them a UID in LDAP, and |
| 24 |
then either add LDAP to nssswitch or use something like nsscache to sync |
| 25 |
the ldap UID's into the local system. |
| 26 |
|
| 27 |
3) If you need deterministic GID's I would recommend storing them all in |
| 28 |
LDAP and syncing the group memberships locally. |
| 29 |
|
| 30 |
I never understood why people would think the distro should handle unique |
| 31 |
gid / uids. Plus you usually end up running: |
| 32 |
|
| 33 |
1) More than one distro. |
| 34 |
2) More than one 'flavor' of a single distro where for whatever reason, uid |
| 35 |
and gid decisions differed (they renumbered, etc.) |
| 36 |
|
| 37 |
So if you want a consistent GID for a group, store the group name and gid |
| 38 |
in ldap and sync it; do not rely on your distro to do it. IMHO doing so is |
| 39 |
a design error. |
| 40 |
|
| 41 |
-A |
| 42 |
|
| 43 |
|
| 44 |
> |
| 45 |
> [1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/" $2}' | |
| 46 |
> grep -v eclass | sort -u | wc -l |
| 47 |
> 443 |
| 48 |
> So there not so much gid uids needed |
| 49 |
> |
| 50 |
> -- |
| 51 |
> Best Regards, |
| 52 |
> Alexey 'Alexxy' Shvetsov |
| 53 |
> Best Regards, |
| 54 |
> Alexey 'Alexxy' Shvetsov, PhD |
| 55 |
> Department of Molecular and Radiation Biophysics |
| 56 |
> FSBI Petersburg Nuclear Physics Institute, NRC Kurchatov Institute, |
| 57 |
> Leningrad region, Gatchina, Russia |
| 58 |
> Gentoo Team Ru |
| 59 |
> Gentoo Linux Dev |
| 60 |
> mailto:alexxyum@×××××.com |
| 61 |
> mailto:alexxy@g.o |
| 62 |
> mailto:alexxy@×××××××××××××.ru |
| 63 |
> |
| 64 |
> |
Archives