openldap group issue on centos 5.5 - all users automatically get put into newly created group

Sat, 13 Dec 2014 07:57:59 -0800 

Hi,

I created a dit on a Centos 6.5 box that looks something like this:

 ........dc=name,dc=com................................
         |                     |                                 |
         |                     |                                 |
    ou=users      ou=systems...........         ou=policies
    |                         |                   |               |
    |                         |                   |               |
    user1         cn=group1   cn=group2       cn=ppolicy
    user2          |                     |
    user3          |                     |
                       |                     |
                   user1                user2
                   user2                user3

I created my users, and I added sever "linux groups" using the ldif file:


dn: cn=dev,ou=systems,dc=ehs,dc=edu
cn: dev
gidNumber: 4005
objectClass: posixGroup

My goal was to simulate an entry that you'd find in the /etc/group file
on a linux system.  So if I added people to this group using the ldif
file:


dn: cn=dev,ou=systems,dc=ehs,dc=edu
changetype: modify
add: memberuid
memberuid: user1
memberuid: user2
So while user1 and user2 are in the default group "users", I wanted them to be able to change the group on their files to "dev" in order to protect their development 
files.
Now, this seemed to work, and when I went on my client and did a command "groups user1", 
I saw "users" and "dev"
However yesterday I added another group called "team0" with gid 22222 using the following ldif 
file:

dn: cn=team0,ou=systems,dc=ehs,dc=edu
cn: team0
gidNumber: 22222
objectClass: posixGroup
When I was logged into my client machine (Centos 5.5 box) and did a groups on an old user, it showed "users", "dev" and now "team0" although I never added that user to the new 
group.
I cleaned the client cache using the nscd -i invalidate=group command, and then I removed all the cached directories in /var/db/nscd, and rebooted, but that new group seems to have been 
applied to everyone.
I might have screwed up the creation of my DIT, but I was thinking that things were working ok since I could added "unix groups" that are visible with the "getent group" command on a client, I could add users into these groups and changed the group of files to lock out some users, but 
I don't understand this behavior now.
I have about 6 groups defined and the last one I created yesterday is the only one that seems to 
get applied to all users.
I'd appreciate any help you could give.... I'm scratching my head on this one. 

Thanks.

Reply via email to