On Fri, 2013-02-15 at 17:35 -0500, Dmitri Pal wrote:
> On 02/15/2013 05:15 PM, KodaK wrote:
> > I suspect the answer to this is "no," but I'm asking anyway:
> >
> > Let's say I have an IPA user named "bob."  When bob was created, IPA
> > created a matching GID for him.  Is it possible, through IPA, to add
> > another user to that GID?
> >
> > If not, and I add another user to that GID by directly manipulating
> > LDAP, will that break anything in IPA?
> >
> > I know the "correct" way is to make a new group.
> >
> I think you should be able to.

You may be able to but you -should not-.

> There was/is way to display UPGs in the
> UI so it should be managble as yet another group with some special
> warnings. At least this is how it was speced. I do not know how it is
> actually implemented.

No, the UPG are not special just because of display reasons.

The UPG are private to the user because on most *nix the default mask is
allows access by the primary group. This means having other users part
of the primary group of a user means all this user files are readable by
the other users by default.

So the way we generate UPGs is that we do not add the groupOFmembers
objectclass which prevents you from adding the member attribute,
preventing additional users to be made part of this group.

Now, you can convert a UPG group into a normal group manually via LDAP
operations, or you can also simply delete the UPG and then recreate a
new group with the same gid number.

Just make sure you are comfortable with the security consequences for
the original user when doing so.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to