[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#662033: Primary Group Filter in GOsa²'s group management view fails to work

Am Dienstag, 6. März 2012, 09:57:42 schrieben Sie:
> Hi Cajus,
> On Mo 05 Mär 2012 08:29:36 CET Cajus Pollmeier wrote:
> > Am Samstag, 3. März 2012, 19:54:06 schrieben Sie:
> >> Package: gosa
> >> Severity: important
> >> Version: 2.6.11-3+squeeze1
> >> 
> >> in the right part of the GOsa² GUI layout there is a view filter to
> >> filter out objects in GOsa²/LDAP. For the group management, it is
> >> possible to filter out primary groups (which can be many if every user
> >> has his/her own primary POSIX group).
> >> 
> >> This filter switch, however, fails to work in GOsa² 2.6.11 (as in
> >> Debian squeeze and used for Debian Edu).
> > 
> > Please detail why you think that it does not work. There were some
> > misunderstandings of this switch in the past.
> The primary groups (to my understanding) are those groups that are
> used in the 4th field of /etc/passwd entries. On Debian, these groups
> get created on user creation and they normally bear the same name as
> the user. Home directories also get create with ownership and
> groupship for this <username>=<groupname> tuple.
> The mass import of GOsa² 2.6 creates posixAccounts and per
> posixAccount one posixGroup. These groups being created I consider as
> primary groups.
> For a school with 600 students these groups are many in occurrence and
> they are mostly not needed for system administration (only to grant
> access to individual homes, which is not a common use case here
> around). It would be good to be able to hide those in the GOsa²-WebGUI
> on a Debian Edu system.

Hi Mike,

sorry for beeing late ;-)

Ok. There is the filter named "Show primary groups". If you uncheck that box, 
you'll not see all primary groups. That's how it is in 2.6.11 available in 
squeeze. Just checked it, because I didn't use 2.6.x for some time now. For me 
it works fine. Working fine means, that all primary groups disappear from the 

So what "does not work" mean in detail? Is there a special setup that makes 
the filters stop working? Is there an easy way for me to reproduce it? I.e. 
minimum ldap setup + ldif + gosa.conf?
> >> I tag this issue as important as it highly reduces usability of GOsa²
> >> with Debian Edu for large setups (i.e. schools).
> >> 
> >> I hope to come up with a patch soon... Does anyone know if this issue
> >> occurs with GOsa² 2.7.x in Debian sid?
> > 
> > 2.7 releases do have a revised filtering. There's no filter like
> > that anymore.
> Hmmm.... ok... does this mean, that I will not be able to hide these
> many many groups from the administrator? Any other approach available?

The filter are user defineable beeing bound to a filter class. In the moment, 
there's a groupLDAPFilter, but it doesn't filter out primary groups. The 
feature has been dropped some time ago, because it is a big performance issue:

To get the list of primary groups, you've to check for all users, and get 
their gidNumber. Then you've to search for all posixGroups inside the current 
scope and eliminate these groups with these gidNumbers.

For big environments, this cannot be done with just two LDAP searcher, because 
it will exceed the maximum size of query strings. So you've to either split 
into multiple queries or do this manually in the code. That's where the filter 
does not finish in a reasonable timeframe if having multiple 1k's of users.

If you want this feature back (maybe as a group filter extension), please open 
a ticket on oss.gonicus.de. We'll add it back if it's really required.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: