AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
 View Only
  • 1.  Large LDAP-Groups with AIX 5.3 and OpenLDAP

    Posted Tue May 30, 2006 02:30 PM

    Originally posted by: SystemAdmin


    I'm trying to bind AIX 5.3 to OpenLDAP using RFC2307 scheme. AIX LDAP client is set up correctly and seems to work. The output of '/usr/sbin/lsgroup' or '/usr/sbin/lsuser' is correct and all group members or groups will be displayed. But when using "/bin/id" or "/bin/ls -l" with large LDAP groups, the gidNumbers will not be resolved to (CN) group names???

    Example 1:
    ... with 1999 memberUid's in posixGroup 'student'
    code # id lalala
    uid=388(lalala) gid=217(student)[/code]
    ... with 2000 memberUid's in posixGroup 'student'
    code # id lalala
    uid=388(lalala) gid=217[/code]

    Example 2:
    ... with 1999 memberUid's in posixGroup 'student'
    code # ls -l
    drwx--x--- 10 lalala student 4096 20 Apr 2005 test1/
    drwxr-x--- 4 lalala dummy 4096 30 Okt 2003 test2/[/code]

    ... width 2000 memberUid's in posixGroup 'student'
    code # ls -l
    drwx--x--- 10 lalala 217 4096 20 Apr 2005 test1/
    drwxr-x--- 4 lalala dummy 4096 30 Okt 2003 test2/[/code]

    Any Ideas?
    #AIX-Forum


  • 2.  Re: Large LDAP-Groups with AIX 5.3 and OpenLDAP

    Posted Tue May 30, 2006 03:40 PM

    Originally posted by: SystemAdmin


    Since this seems to happen when you cross over the 2000 user threshold, I suspect that there is a bug or you have reached a limitation that I am unaware of. openLDAP is a supported server for AIX authentication, and support line should be willing to work with you on resolving this issue.

    I do know that when an AIX user is defined as an LDAP user that it uses LDAP groups, and when it is a local user that local groups are used.

    I have ITDS 5.2 (IBM's LDAP) setup on one server, but have not done any testing with this number of users nor check the technical database for potential known problems.
    #AIX-Forum


  • 3.  Re: Large LDAP-Groups with AIX 5.3 and OpenLDAP

    Posted Tue May 30, 2006 03:58 PM

    Originally posted by: SystemAdmin


    This is actually a known problem. The APAR seems to be IY63297.
    I found this in one problem report.
    It will be available in 5.3 TL5, which will be available around July this year.
    There is currently no ifix available for this, so, I will make a request
    to our development team to create one.

    One record seems to indicate that it may be better for performance to create subgroups as described here:
    1. create a copy of the old group without the members and the new group
    name
    ldapsearch -D cn=root -w secret -L -b "ou=Groups,cn=aixdata"
    "cn=oldgroup" \
    | grep -v "^memberuid" | sed "s/oldgroup/newgroup/g" > newgroup.ldif

    1. add the new group to LDAP
    ldapadd -D cn=root -w secret -f newgroup.ldif

    1. move the first 1000 memberuid to the new group
      1. first create an ldif files for modifications
    ldapsearch -D cn=root -w secret -L -b "ou=Groups,cn=aixdata"
    "cn=oldgroup" memberuid \
    | awk '{ if (NR <= 1001) print $0 }' > mod.ldif

    1. edit the mod.ldif for adding to the new group:
    1. change the name of the group in the first line to newgroup.
    2. between the first and second line add the following lines:
    changetype: modify
    add: memberuid

    1. add the members new group
    ldapmodify -D cn=root -w secret -f mod.ldif

    1. edit the mod.ldif for deleting from old group:
    1. change the name of the group in the first line to oldgroup.
    2. on the third line, change 'add' to 'delete'

    1. delete the members from old group
    ldapmodify -D cn=root -w secret -f mod.ldif

    • I have not personnaly tested this and don't guarantee it will work --

    Customer said this worked prior to AIX 5.3

    • There are reasons for the limitation and these will be fixed in TL5.

    As you can see, I don't have the definitive answer, but the problem is not likely the openLDAP server.
    #AIX-Forum