Am Dienstag, 6. März 2012, 09:57:42 schrieben Sie: > Hi Cajus, > > On Mo 05 Mär 2012 08:29:36 CET Cajus Pollmeier wrote: > > Am Samstag, 3. März 2012, 19:54:06 schrieben Sie: > >> Package: gosa > >> Severity: important > >> Version: 2.6.11-3+squeeze1 > >> > >> in the right part of the GOsa² GUI layout there is a view filter to > >> filter out objects in GOsa²/LDAP. For the group management, it is > >> possible to filter out primary groups (which can be many if every user > >> has his/her own primary POSIX group). > >> > >> This filter switch, however, fails to work in GOsa² 2.6.11 (as in > >> Debian squeeze and used for Debian Edu). > > > > Please detail why you think that it does not work. There were some > > misunderstandings of this switch in the past. > > The primary groups (to my understanding) are those groups that are > used in the 4th field of /etc/passwd entries. On Debian, these groups > get created on user creation and they normally bear the same name as > the user. Home directories also get create with ownership and > groupship for this <username>=<groupname> tuple. > > The mass import of GOsa² 2.6 creates posixAccounts and per > posixAccount one posixGroup. These groups being created I consider as > primary groups. > > For a school with 600 students these groups are many in occurrence and > they are mostly not needed for system administration (only to grant > access to individual homes, which is not a common use case here > around). It would be good to be able to hide those in the GOsa²-WebGUI > on a Debian Edu system. Hi Mike, sorry for beeing late ;-) Ok. There is the filter named "Show primary groups". If you uncheck that box, you'll not see all primary groups. That's how it is in 2.6.11 available in squeeze. Just checked it, because I didn't use 2.6.x for some time now. For me it works fine. Working fine means, that all primary groups disappear from the list. So what "does not work" mean in detail? Is there a special setup that makes the filters stop working? Is there an easy way for me to reproduce it? I.e. minimum ldap setup + ldif + gosa.conf? > >> I tag this issue as important as it highly reduces usability of GOsa² > >> with Debian Edu for large setups (i.e. schools). > >> > >> I hope to come up with a patch soon... Does anyone know if this issue > >> occurs with GOsa² 2.7.x in Debian sid? > > > > 2.7 releases do have a revised filtering. There's no filter like > > that anymore. > > Hmmm.... ok... does this mean, that I will not be able to hide these > many many groups from the administrator? Any other approach available? The filter are user defineable beeing bound to a filter class. In the moment, there's a groupLDAPFilter, but it doesn't filter out primary groups. The feature has been dropped some time ago, because it is a big performance issue: To get the list of primary groups, you've to check for all users, and get their gidNumber. Then you've to search for all posixGroups inside the current scope and eliminate these groups with these gidNumbers. For big environments, this cannot be done with just two LDAP searcher, because it will exceed the maximum size of query strings. So you've to either split into multiple queries or do this manually in the code. That's where the filter does not finish in a reasonable timeframe if having multiple 1k's of users. If you want this feature back (maybe as a group filter extension), please open a ticket on oss.gonicus.de. We'll add it back if it's really required. Cheers, Cajus
Attachment:
signature.asc
Description: This is a digitally signed message part.