FreeBSD nss, getgroupmembership(3)

Frode Nordahl frode at
Mon Jan 7 05:34:25 PST 2008

On 7. jan.. 2008, at 14.20, Danny Braniss wrote:

>> On 7. jan.. 2008, at 11.10, Matthijs Kooijman wrote:
>>> a while back (or actually, more than a year back...) there was some
>>> discussion
>>> in this thread about implementing getgroupmembership support in
>>> FreeBSD NSS.
>>> FYI, Michael Bushkov has commited support for this a few weeks back
>>> based on
>>> work by me and largely by Michael Hanselmann. For now, there is no
>>> support yet
>>> in the nss_ldap and nss_winbind modules, but patches are already
>>> available.
>>> Support wil not be merged to 7.0, but hopefully it will be in 7.1.
>>> See pr 115196 [1] for more details about it, and links to the
>>> winbind/ldap patches.
>>> Gr.
>>> Matthijs
>>> [1]:
>> Thank you for letting me know, this is fantastic!! :-) A big thank  
>> you
>> to everyone involved in making this happen.
>> I will attempt to put this to test in a production system in good  
>> time
>> before 7.1 so any issues can be resolved before release.
>> Any chance the patch will apply on 6.x?
>> --
>> Frode Nordahl
> sorry if this sounds like a party-poopper but:
> 1- why not just fix getgrouplist instead of inventing  
> getgroupmembership?
>   (the patch replaces the code of getgrouplist by a call to
> getgroupmembership anyways)

> 2- why not just make a new table, with key uid/username and with  
> data the list
> of groups?
>   this is what we have here, the list is autogenerated each time the  
> main
> password file
>   and/or group are modified. this reduces network noice and cycles
> conciderably.

I can query the LDAP database with a username and get a list of groups  
effectively, but there is no existing API that can make use of this.

See the above link for discussion and reasons for adding  
getgroupmembership instead of altering existing APIs.

Frode Nordahl

More information about the freebsd-current mailing list