Re: Issue with resolving groups with nss_ldap

fr den 01.09.2006 Klokka 08:53 (-0230) skreiv Craig Squires:

> Your problem may be the following. The id command (and any command
> that uses system calls like getgrent?) wants to find all groups, and
> so will always look in all possible group info sources. Username, on
> the other hand, is presumed to be unique, and so the first hit is enough.
> 
> I think the idea is that groups convey authorization info, and so
> something like login or id needs to know all authorizations of a
> user.
> 
> In order to avoid this problem we had to give up using LDAP for group
> info altogether, and stick to /etc/groups.

If this were so, then LDAP would be an utterly useless authentication
base for our site (1250+ users divided into at least 4 main LDAP-based
Posix groups, aliases in groups, 100+ Samba-based Windows workstations
in Posix groups, etc). One single non-system user (root)
in /etc/(passwd|shadow) and /etc/group.

--Tonni

-- 
Tony Earnshaw
reservebergenser