Use dereference when processing RFC2307bis nested groups

Instead of issuing N LDAP requests when processing a group with N users,
utilize the dereference functionality to pull down all the members in a
single LDAP request.

https://fedorahosted.org/sssd/ticket/799

3 files changed, 4 insertions, 0 deletions

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 5a26e31a7..5114a178a 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -145,6 +145,7 @@ option_strings = {
     'ldap_deref' : _('How to dereference aliases'),
     'ldap_dns_service_name' : _('Service name for DNS service lookups'),
     'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'),
+    'ldap_deref_threshold' : _('The number of members that must be missing to trigger a full deref'),
 
     'ldap_entry_usn' : _('entryUSN attribute'),
     'ldap_rootdse_last_usn' : _('lastUSN attribute'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 7719069c7..752222508 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -35,6 +35,8 @@ ldap_referrals = bool, None, false
 ldap_krb5_ticket_lifetime = int, None, false
 ldap_dns_service_name = str, None, false
 ldap_deref = str, None, false
+ldap_page_size = int, None, false
+ldap_deref_threshold = int, None, false
 
 [provider/ipa/id]
 ldap_search_timeout = int, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index e568c74d3..ce9ec513d 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -28,6 +28,7 @@ ldap_krb5_ticket_lifetime = int, None, false
 ldap_dns_service_name = str, None, false
 ldap_deref = str, None, false
 ldap_page_size = int, None, false
+ldap_deref_threshold = int, None, false
 
 [provider/ldap/id]
 ldap_search_timeout = int, None, false