From dcaf214652568da55b1caf382e04f99b51a544f3 Mon Sep 17 00:00:00 2001 From: John Dickerson Date: Fri, 12 Dec 2014 10:38:10 +0100 Subject: MAN: Amend the description of ignore_group_members The option description should hint that enabling this option may have a positive effect on access control, especially with large groups. See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example where ignoring the group members helped. Signed-off-by: Jakub Hrozek Reviewed-by: Pavel Reichl --- src/man/sssd.conf.5.xml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 10d990419..5f8e7550b 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1487,7 +1487,25 @@ fallback_homedir = /home/%u If set to TRUE, the group membership attribute is not requested from the ldap server, and group members are not returned when processing - group lookup calls. + group lookup calls, such as + + getgrnam + 3 + + or + + getgrgid + 3 + . + As an effect, getent group + $groupname would return the requested + group as if it was empty. + + + Enabling this option can also make access + provider checks for group membership + significantly faster, especially for groups + containing many members. Default: FALSE -- cgit