diff options
author | Sumit Bose <sbose@redhat.com> | 2015-03-09 16:36:29 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-17 16:56:00 +0100 |
commit | bfa2f2a8125d20f374f5ee8647f2e54d5bca7c06 (patch) | |
tree | 2b24a110d0f46dd8466c440d5536a6c7419cb1d9 /src/providers/simple/simple_access.c | |
parent | 442af10df5ece547f025e93c08a88ee240235682 (diff) | |
download | sssd-rhel7.0.tar.gz sssd-rhel7.0.tar.xz sssd-rhel7.0.zip |
LDAP/AD: do not resolve group members during tokenGroups requestrhel7.0
During initgroups requests we try to avoid to resolve the complete
member list of groups if possible, e.g. if there are no nested groups.
The tokenGroups LDAP lookup return the complete list of memberships for
a user hence it is not necessary lookup the other group member and
un-roll nested groups. With this patch only the group entry is looked up
and saved as incomplete group to the cache.
This is achieved by adding a new boolean parameter no_members to
groups_get_send() and sdap_get_groups_send(). The difference to config
options like ldap_group_nesting_level = 0 or ignore_group_members is
that if no_members is set to true groups which are missing in the cache
are created a incomplete groups. As a result a request to lookup this
group will trigger a new LDAP request to resolve the group completely.
This way no information is ignored but the time needed to read all data
is better distributed between different requests.
https://fedorahosted.org/sssd/ticket/2601
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1)
Diffstat (limited to 'src/providers/simple/simple_access.c')
0 files changed, 0 insertions, 0 deletions