Hi Alec!
Alec Warner писал 14-12-2015 01:23:
On Sun, Dec 13, 2015 at 10:03 AM, Alexey Shvetsov <ale...@gentoo.org>
wrote:
Hi all!
We trying to use ldap for users @work, many of our workstations
running binary gentoo based distro called Calculate linux. However
if we wanna have wide use of ldap there is a need for determenistic
system group gids names and user uids.
Many ebuilds in tree uses enewgroup and enewuser with -1 (aka next
available parameter)[1]. However it will be much better to set
distro wide deterministic uid and gid for system service name. So
for example ldap users may have determenistic groups like video,
audio, plugdev, etc..
So the first question I normally ask here is:
1) Why do you need deterministic uid / gid's?
for exmaple plugdev group may have random gid from range 10-1000+ (i
have some systems when it have gid >1000)
so if you're ldap user want to mount external drive on workstation you
dont know what gid it should have..
2) If you do need deterministic uid / gid's, I would recommend storing
them all in the same place.
For example, you typically want a deterministic UID for a user. To
accomplish this, you add that user to LDAP, give them a UID in LDAP,
and then either add LDAP to nssswitch or use something like nsscache
to sync the ldap UID's into the local system.
3) If you need deterministic GID's I would recommend storing them all
in LDAP and syncing the group memberships locally.
Syncing groups localy is major design error if you have more then 10+
systems.
I never understood why people would think the distro should handle
unique gid / uids. Plus you usually end up running:
1) More than one distro.
Its not the case. Most time there only one 'supported' distro by local
IT stuff.
2) More than one 'flavor' of a single distro where for whatever
reason, uid and gid decisions differed (they renumbered, etc.)
So if you want a consistent GID for a group, store the group name and
gid in ldap and sync it; do not rely on your distro to do it. IMHO
doing so is a design error.
-A
[1] $ egrep '(enewgroup|enewuser)' * -R | awk -F '/' '{print $1 "/"
$2}' | grep -v eclass | sort -u | wc -l
443
So there not so much gid uids needed
--
Best Regards,
Alexey 'Alexxy' Shvetsov
Best Regards,
Alexey 'Alexxy' Shvetsov, PhD
Department of Molecular and Radiation Biophysics
FSBI Petersburg Nuclear Physics Institute, NRC Kurchatov Institute,
Leningrad region, Gatchina, Russia
Gentoo Team Ru
Gentoo Linux Dev
mailto:alexx...@gmail.com
mailto:ale...@gentoo.org
mailto:ale...@omrb.pnpi.spb.ru
--
Best Regards,
Alexey 'Alexxy' Shvetsov
Best Regards,
Alexey 'Alexxy' Shvetsov, PhD
Department of Molecular and Radiation Biophysics
FSBI Petersburg Nuclear Physics Institute, NRC Kurchatov Institute,
Leningrad region, Gatchina, Russia
Gentoo Team Ru
Gentoo Linux Dev
mailto:alexx...@gmail.com
mailto:ale...@gentoo.org
mailto:ale...@omrb.pnpi.spb.ru
