Any network of UNIX computers relies on identity information to identify computer users and groups of computer users on the network. For example, when a user logs onto a network computer, he provides a user name to identify himself. Once the user is logged in, he is associated with a pre-assigned user identification number (UID) that is used within any computer on the network to identify that user. Files use UIDs to indicate file ownership, and UNIX operations use UIDs to report user activity. Other user identity information may specify the user's real name, the user's home directory, the type of shell he prefers to use, and the primary group of users to which he belongs.
Groups of users within a network likewise have identity information: a group name and an associated group identification number (GID).
Identity information is typically stored by an identity resolver (usually a directory server) attached to the network. The resolver stores the data in user records and group records, known collectively as entity records. The resolver may be an Active Directory (AD) server, a Lightweight Directory Access Protocol (LDAP) server, or other type of identity resolver such as a relational database.
Any computer can request identity information from the resolver by supplying an entity identifier (typically a user name, UID, group name, or GID). When a user logs on to a UNIX computer and supplies a user name, for example, the computer can request the UID, home directory, preferred shell, and principal group associated with that user name. Or a computer can ask the directory server to find the user name associated with the UID indicated as the owner of a file.
Entity identifiers used within a single network of UNIX computers must be unique for each entity within the network. If, for example, two users have the same user name, or if a single user name is associated with two different UIDs, then computers in the network cannot establish identity for a user name or UID. The same is true for group names and GIDs.
When a single UNIX network grows from scratch into a full network, entity name and ID duplication is generally not a problem. Each newly generated user name, UID, group name, and GID is checked against existing names and IDs to make sure it is not a duplicate.
Problems frequently arise, however, when two or more existing UNIX networks are linked together and their directories are consolidated into a single master directory for all networks. Because the original directories have developed names and IDs in ignorance of each other, it is not only possible but likely that they have used the same entity names and ID numbers. When the directories are consolidated, these identical names and IDs conflict, make user and group identity uncertain, and require that many user and group records be reassigned unique names and IDs. This creates a significant amount of work for system administrators and often confuses users who may be forced to use a new name for log-on.