Domainless groups

Edit online

The domainless groups feature allows you to assign users that are defined in one domain to groups that are defined in another domain. This feature supports only Lightweight Database Access Protocol (LDAP) and local domains.

You can create users and groups on the LDAP server by using the LDAP Authentication Load Module (LDAP module). You can also create users and groups on the local system by using the Local Authentication Load Module (local module). When the domainlessgroups feature is not enabled, users and user groups that are created on either the LDAP or the Local system cannot be assigned to groups outside of the load domain on which it was created. For example, a user that is created in the LDAP domain cannot be assigned to a group associated with the local domain.

You can overcome this restriction and assign users to both the LDAP and local groups by enabling the domainlessgroups system property. The domainlessgroups property is defined in the /etc/secvars.cfg file. It is only supported for the LDAP and local modules. The possible values for this property follow:

false (default value): The group attribute is not merged from the LDAP modules and local modules.
true: The group attribute is merged from the LDAP and local modules. For example, the LDAP users can be assigned to the local groups.

To view the value of the domainlessgroups property, run the following command:

lssec -f /etc/secvars.cfg -s groups -a domainlessgroups

To set the domainlessgroups property to true, run the following command:

chsec -f /etc/secvars.cfg -s groups -a domainlessgroups=true

The following table explains how the results of the user and group commands are different, depending on the setting of the domainlessgroups property.

Table 1. Results of selected commands that are affected by the domainlessgroups property
Command	Results when the domainlessgroups property is set to true
`chgroup -R ldap\|files`	Updates the group in the specified domain. You can add the user to either an LDAP or local group.
`chuser -R ldap\|files`	Changes the settings for a user in the specified domain. If the groups that are defined in the other domain are specified, those groups are also updated with the user information.
`login username` or `su`	Retrieves the user attributes from the user registry, except the group ID attribute. The user attributes for the group ID are merged from both the LDAP and local domains.
`lsgroup -R ldap\|files`	Lists all of the group attributes for the specified domain. If it does not find the specified group in the specified domain, the command fails.
`lsuser -R ldap\|files`	Lists the attributes of the user after the information is merged from all of the groups in the domain where the user is defined and the other domain. If the primary group of the user is not defined in the domain where the user is defined, it is resolved from the other domain.
`mkgroup -R ldap\|files`	Creates a group in the specified domain. After you create the group, you assign the user (whether LDAP or local) to the group in the group database for that domain. You can add the user to either the LDAP or local groups.
`mkuser -R ldap\|files`	Creates a user in the specified domain. If the groups that are defined in the other domain are specified, those groups are also updated with the user information.
`rmgroup -R ldap\|files`	Deletes the specified group from the specified domain. If the group is assigned as a primary group for any user that is defined in any domain, the command fails.
`rmuser -R ldap\|files`	Deletes the specified user from the specified domain. It also removes the user from any groups that are defined in the other domain and has this user as a member.