Re: What will happen if a user is a member of a group, but has another group as its primary group

2012-08-03 Thread Buchan Milne
On Wednesday, 1 August 2012 22:21:07 Qian Zhang wrote: BTW, I do not know how to configure PAM to only allow a group or some groups to login the machine, if anyone can tell me the steps, it will be really appreciated! This isn't specific to LDAP or any other nss plugin, but specific to PAM.

Re: What will happen if a user is a member of a group, but has another group as its primary group

2012-08-02 Thread Qian Zhang
If your applications use getgrouplist(3), then you can't just ignore the gidNumber (see the manpage for details) from the passwd database, but you could change the gidNumber to match the secondary group if you're not concerned about the default gidNumber. If your applications are PAM aware,

Re: What will happen if a user is a member of a group, but has another group as its primary group

2012-08-02 Thread Dan White
(CCing the list) On 08/03/12 11:31 +0800, Qian Zhang wrote: I am just wondering if there is a well-known rule for this use case, I'd like to follow the general acceptable way. So most of people think user1 should not log into the machine in this case, I will ingore gidNumber and only care about

What will happen if a user is a member of a group, but has another group as its primary group

2012-08-01 Thread Qian Zhang
Hi, In my OpenLDAP server, it is possible to set a user as a member of a group, but it has another group as its primary group (I am using LDAP Admin as LDAP client tool). For example, in group1, I can see user1 as its memberUid attribute, but the gidNumber attribute of user1 is group2. I'd like

Re: What will happen if a user is a member of a group, but has another group as its primary group

2012-08-01 Thread Guillaume Rousse
Le 01/08/2012 16:21, Qian Zhang a écrit : Hi, In my OpenLDAP server, it is possible to set a user as a member of a group, but it has another group as its primary group (I am using LDAP Admin as LDAP client tool). For example, in group1, I can see user1 as its memberUid attribute, but the

Re: What will happen if a user is a member of a group, but has another group as its primary group

2012-08-01 Thread Dan White
On 08/01/12 22:21 +0800, Qian Zhang wrote: Hi, In my OpenLDAP server, it is possible to set a user as a member of a group, but it has another group as its primary group (I am using LDAP Admin as LDAP client tool). For example, in group1, I can see user1 as its memberUid attribute, but the

Re: What will happen if a user is a member of a group, but has another group as its primary group

2012-08-01 Thread Qian Zhang
Thanks Dan! Basically, I also have concern about the performance. Because in that case, when figuring out how many users in a group, I need to not only consider the group's membership (memberUID) attribute, but also user's gidNumber attribute (I am trying to write a Java application talk to my

Re: What will happen if a user is a member of a group, but has another group as its primary group

2012-08-01 Thread Dan White
On 08/01/12 10:00 -0500, Dan White wrote: On 08/01/12 22:21 +0800, Qian Zhang wrote: In my OpenLDAP server, it is possible to set a user as a member of a group, but it has another group as its primary group (I am using LDAP Admin as LDAP client tool). For example, in group1, I can see user1 as