Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
32
NIS/LDAP Gateway & Large Groups
Despite the fact that HP-UX 11.00 supports group data sets up to 4096 characters, the NIS architecture
limits the group size to 1024 characters.
LDAP-UX Client Services & Large Groups
LDAP-UX Client Services takes advantage of whatever buffer size is supported by the operating system. In
this case, LDAP-UX Client Services supports the 4096 buffer size on the 11.00 operating system. However
before increasing members of groups beyond 1024 bytes, the administrator should consider the lowest
common denominator. If your environment is a mix of the LDAP-UX Client Services product and the
NIS/LDAP Gateway (or other operating system that supports only 1024 bytes,) the maximum you should
attempt would be groups no larger than 1024 bytes.
HP-UX and Large Groups
A common method to work around group size limitations (as described on page 31) is to create multiple
groups with the same group id number (gidnumber,) but with a different name. One example follows:
catgrp::523,gwong,kyiu,r4382,jsmith,kjenkins,…
catgrp.1::523,stella,lmajors,bsimpson,…
catgrp.2::523,sangel,dtutor,cdragon,mir,…
This method can still be used once data is migrated to an LDAP directory. However, there is one minor
side-effect. LDAP directories are not required to enforce ordering. In an /etc/group file the order above
assured that "catgrp" would always be returned first by a getgrent() or getgrgid() procedure call. Because
the LDAP directory is not required to enforce ordering on a search request, catgrp.1 or catgrp.2 could also
be returned ahead of catgrp. For example, when typing an "ls" command, instead of seeing catgrp:
% ls -l dir1
total 72
-rw-r----- 1 lee catgrp 3074 Feb 17 2112 RUSH
-rw-r----- 1 bobj catgrp 1613 Oct 27 1992 ball
-rw-r----- 1 bobj catgrp 11326 Oct 27 1992 bill
-rw-r----- 1 bobj catgrp 2891 Feb 19 1999 food2
-rw-r----- 1 bobj catgrp 8918 Apr 8 1997 goodx
you may see catgrp.1 or catgrp.2:
% ls -l dir1
total 72
-rw-r----- 1 lee catgrp.2 3074 Feb 17 2112 RUSH
-rw-r----- 1 bobj catgrp.2 1613 Oct 27 1992 ball
-rw-r----- 1 bobj catgrp.2 11326 Oct 27 1992 bill
-rw-r----- 1 bobj catgrp.2 2891 Feb 19 1999 food2
-rw-r----- 1 bobj catgrp.2 8918 Apr 8 1997 goodx
Although the name of the group name may be inconsistent, the actual group id remains the same. If you
have scripts or other applications that examine the names of groups, and assume that ordering will always
assure that the first group in the set will always be returned first, you may need to update those applications.