Our company has many individual sites that currently each have their own scheme for Linux authentication. We are looking at redesigning to have one unified scheme with the future plan of porting all the accounts to a single LDAP, likely OpenLDAP. As part of this first phase, we would like to redo all the gids to fit at least some sort of standard. We'd like to allocate a range of gids to each site to use as needed. We are looking to start at gid 10000 (to avoid system gids, and any other already established gids at any particular site) and allocate at least 1000 gids each of them to use. This plan puts our highest gid at just under 300000.
The question comes down to whether OpenLDAP can reference a gid that high. It's not a matter of how many gids, as the majority of those sites don't currently need Linux gids. It's simply whether OpenLDAP would have an issue accessing a value at least that high or higher. It's my understanding that what *NIX OSs consider a "gid" is just a value to OpenLDAP, so theoretically, there shouldn't be a limitation on OpenLDAP's side, but I haven't found that stated, or anyone who has successfully used a gid of more than 200000.
Does anyone actually know if using a gid in the 300000 range cause an issue with OpenLDAP?
Best Answer
the GidNumber is unlimited.
The GID number is defined as an integer in the schema definitions
According to RFC 4517 LDAP: Syntaxes and Matching Rules
Since it is a character string and not a number you don't have the OS determined maximum size for a signed integer and the GID number in LDAP is unlimited.
On the other hand, your OS support and PAM libraries may be limited to 65534.