Bug 51771

Summary:	make "uniqueMember" optional for primary group
Product:	UCS	Reporter:	Ingo Steuwer <steuwer>
Component:	UDM (Generic)	Assignee:	UMC maintainers <umc-maintainers>
Status:	NEW ---	QA Contact:	UMC maintainers <umc-maintainers>
Severity:	enhancement
Priority:	P5	CC:	best
Version:	UCS 5.0
Target Milestone:	---
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=52175 https://forge.univention.org/bugzilla/show_bug.cgi?id=55268 https://forge.univention.org/bugzilla/show_bug.cgi?id=42080 https://forge.univention.org/bugzilla/show_bug.cgi?id=52835
What kind of report is it?:	Feature Request	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	API change
Max CVSS v3 score:

Description Ingo Steuwer

2020-08-05 10:40:56 CEST

In POSIX environments, the primary group is only assigned as gidNumber to an user. In UCS, we store this group membership also as "uniqueMember".

In larger enviroments the default primary group "Domain Admins" is getting very big and changes are slow, for example because OpenLDAP has to do complex index updates.

We should check if we can introduce a configuration option to deactivate the maintenance of "uniqueMember" for primary groups in UDM.

Some things are going to "break", examples:

* sending Mails to an address assigned to the primary group
* AD and S4 connector might fail
* LDAP ACLs won't work if based on this group

Comment 1 Florian Best

2022-10-14 16:10:50 CEST

There is already a UCR variable for that: directory/manager/user/primarygroup/update=false.