Handling large Active Directory groups

In most cases, the NIS server cannot send more than 1024 characters of data to NIS clients in response to a query. This limitation can create problems when the NIS client requests information for a large group with a long membership list. By default, the adnisd process automatically truncates the list at 1024 characters.

You can configure adnisd to split large groups into several groups of conforming size and names using nisd.largegroup.suffix and nisd.largegroup.name.length in /etc/centrifydc/centrifydc.conf.

Splitting a single large group into multiple new groups

If you specify any value for the nisd.largegroup.suffix parameter, adnisd splits large groups into multiple new groups automatically, creating a new group whenever a group’s data size exceeds 1024-character limit by appending the string you define in nisd.largegroup.suffix plus a sequential number.

For example, if you have a large group named performix-worldwide-corp, and have defined the suffix string as “-all”, when the performix-worldwide-corp group membership is split into multiple groups, the groups are named as follows:

performix-worldwide-corp-all1
. . .
performix-worldwide-corp-alln

All of the new groups have the same group identifier (GID) as the original group.

Setting the maximum length of new group names

If the new group names would exceed the maximum length for group names on a platform, use the nisd.largegroup.name.length parameter. If you do this, adnisd truncates the original group name so as not to exceed the maximum name length.

For the example above, if you set a maximum name length of 14, the split groups are named:

performix-all1
...
performi-all10
...
perform-all100

All of the new groups have the same group identifier (GID) as the original group.

For more information, see the Configuration and Tuning Reference Guide.