Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
31
Account & Group Management
Group and Netgroup Size Limitations
Posix systems have a limit on the number of users that may be members of a group. This limit is part of the
architecture of the getgrxxx() procedure calls. Although the Posix specification makes no specific mention
of this limit, implementations of the Posix standard had to select maximums. The number of members
allowed in a group is determined by the size of the buffer allocated to return the group data. This buffer
stores elements of the "struct group" structure. On HP-UX 10.20 and earlier, this buffer size was 1024 bytes.
On HP-UX 11.00 this buffer was increased to 4096 bytes. Some other operating systems use a smaller
buffer, which limits the data portion of that buffer to 1024 characters. And implementations such as NIS
also limit total characters to 1024.
The actual limit on the number of members of a group is not a fixed value. There are several factors that
determine how many users may be members of a group. The paramount limitation is the size of the buffer
described above. The following formula can be used to compute the number of users that may be members
in a group: (all right side values below represent bytes)
The size of a pointer on a 32-bit system is 4 bytes. It is 8 bytes on a 64-bit system.
For example, a group with members that have two character names (aa, ab, ac, ad, …) could contain as
many as 144 members. However, groups where the member names are all 8 characters would be limited to
at most 72 members. These examples assume a limit of 1024 for the buffer size.
If a groupOfUniqueNames is used to represent a Posix group, and that group has 10,000 members, an
HP-UX application will not be able to retrieve all the members of that group. The errors encountered when
a group is too large are not clearly defined. Sometimes the caller of the getgrxxx() procedures will receive a
group structure with as many members that would fit in the buffer. Sometimes the getgrxxx() procedures
will fail. Most implementations of NIS do not return errors when group membership is too large. So
determining if a group is too large can be difficult.
The side effects on applications that use getgrxxx() procedures can only be determined by the application in
question. One example would be the "ls -l" command failing to display the group names in a listing (see
example on page 11), when the group is too large. The newgrp command also fails under certain
circumstances. In order for the newgrp command to function properly, it needs to discover all the members
of a group, to determine if the user attempting the newgrp command is a member of the desired group.
As mentioned on page 34, the groupOfUniqueNames and groupOfNames object classes can be used to
represent members of Posix groups. These groups can contain members of various types (posixAccounts,
inetOrgPersons, etc.) Only posixAccounts will be considered when determining membership of a group to
be returned by the getgrxxx() routines.
In short, the HP-UX system administrator should assure that all the posixGroups in the LDAP directory do
not have more members than is defined by the formula above.
Number_of_Members =
(size_of_buffer - (size_of_group_name+1) - 15[if a password is present])
(size_of_pointer + average_size_of_member_name + 1)