IBM Support

IV69953: DOMAINLESS=TRUE MAY CAUSE LDAP USER TO BELONG TO 'SYSTEM' GROUP APPLIES TO AIX 7100-03

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • After turning on domainless groups (chsec -f
    /etc/secvars.cfg -s groups -a domainlessgroups=true),
    you might see that an LDAP user is listed by lsuser as
    belonging to the 'system' group, when they do not
    actually
    have membership to that group.
    

Local fix

  • WORKAROUND:
    ensure there is a mapping for the 'pgid' attribute in
     your user map file, such as:
    pgid   SEC_INT  gidnumber     s       na      yes
    

Problem summary

  • After turning on domainless groups (chsec -f
    /etc/secvars.cfg -s groups -a domainlessgroups=true),
    user might see that an LDAP user is listed by lsuser as
    belongs to the 'system' group, when they do not
    actually have membership to that group.
    

Problem conclusion

  • The group information is parsed properly when domainlessgroup
    attribute is defined.
    

Temporary fix

Comments

  • 6100-09 - use AIX APAR IV69226
    7100-03 - use AIX APAR IV69953
    

APAR Information

  • APAR number

    IV69953

  • Reported component name

    AIX V7.1

  • Reported component ID

    5765H4000

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Submitted date

    2015-02-26

  • Closed date

    2015-02-26

  • Last modified date

    2015-05-22

  • APAR is sysrouted FROM one or more of the following:

    IV69226

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    AIX V7.1

  • Fixed component ID

    5765H4000

Applicable component levels

  • R710 PSY U869596

       UP15/05/20 I 1000



Document information

More support for: AIX Enterprise Edition

Software version: 710

Operating system(s): AIX

Reference #: IV69953

Modified date: 22 May 2015