Manualshelf

Group Membership Expansion: Guidelines for Deployment

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Enterprise OE
1234567
5
The records in the netid database are limited to 1,024 characters. The use of extremely long group
names can cause the 1,024-character limit to be exceeded even with just 20 groups, and in that
case, such long records will not be included in the database.
Performance considerations
Some HP-UX commandsfor example, groups and idcomplete in an amount of time proportional
to the number of groups to which a user or process belongs. The additional time required to complete
such commands can be noticeable if a user is a member of an extremely large number of groups.
While HP-UX has the flexibility to allow customers to place a user in as many as 65,536 groups, such
a high limit may make some operations take longer than is acceptable to interactive users.
The performance of these commands depends on the actual number of groups to which the user or
process belongs, not the value of the ngroups_max tunable. In this sense, there is no penalty to
setting the tunable to its maximum value. However, the login process can require memory space
proportional to ngroups_max, so the tunable should not be set to an unnecessarily large value. The
guideline is to choose a value modestly higher than the planned greatest number of groups to which
any user will belong.
Some clustered applications are sensitive to the group membership of users and processes. A
clustered filesystem fits into this category. In such cases, it is best if each node in the cluster has the
same value for the maximum number of supplementary groups per user.
Summary
The group membership expansion enhancement to HP-UX 11i v3 Update 3 changes the maximum
number of groups for a user or process, making it a tunable parameter. This change allows customers
to implement models for file access and protection that were not possible under the previous limit of
20 groups per user. Before deploying such models, customers must update the HP-UX kernel and
utilities, and must verify that their local applications are compatible with the expanded group limit.
Appendix: Enabling applications for groups expansion
Terminology
NGROUPS
NGROUPS is an obsolete compile-time constant that may still be in use by some older applications. Its
value (20) is the same as the NGROUPS_MAX compile-time constant described below.
NGROUPS_MAX (compile-time limit)
The <limits.h> header file includes a compile time definition for NGROUPS_MAX whose value
remains 20. The Unix2003 standard (and its predecessors) describe NGROUPS_MAX as a “Runtime
Increasable Value”—that is, the actual limit on an instance of HP-UX may be greater than the value of
the compile-time constant. All instances of HP-UX support membership in at least 20 supplementary
groups. With group membership expansion, HP-UX instances may support more than 20.
ngroups_max
ngroups_max is a new kernel tunable parameter specifying the maximum number of supplementary
group IDs that may be associated with a user or process. Prior to the group membership expansion,
this maximum number was fixed at the value of the compile-time NGROUPS_MAX constant. With the
group membership expansion, the maximum can now be tuned as high as 65,536. The default value
for ngroups_max is 20, and so is the minimum value.