When openldap is configured to make use of the dynlist module it can update
the member and memberOf population recursively for nested groups by just
quering with a searchfilter memberOf for it.
This should eliminates the need for nested group searches because it
returns all memberships
Similar: issue: 2409
Can we have a setting to enable this like LDAP_MATCHING_RULE_IN_CHAIN for AD
during my evaluations and researches around implementing user and
device management using OAuth and OIDC, I also caught up on the
* sssd's architecture 
* Freedesktop's AccountsService 
* the idea making sssd implement AccountsService 
Currently, I am evaluating whether I should add an OIDC module to
sssd, or write my own authentication daemon handling it (mimicing sssd
to some extent). I will probably get back to the pros and cons around
this later in a separate thread.
One question though that I did not find an answer to, which is
somewhat important for both approaches, is:
Why does sssd implement its own wire protocol between client
libraries and responders, instead of using the D-Bus system bus?
Actually, designing a draft for my own authentication daemon, I
decided to go with my own wire protocol (based on protobuf) as well,
and then thought that if I was going to implement a realmd provider
later on, I'd have to talk D-Bus anyway, so I could just as well use
Since sssd decided to not do that, I assume there is a reason, so:
If I were designing a system like sssd, why should I not use D-Bus
to communicate between my PAM module and my backend daemon?
Disclaimer: I am not seeking to replace sssd; right now, all of this
is of purely academic nature, to understand the whole picture.
I am currently working on integrating Linux desktops directly with
web-based login services, using OAuth/OpenID Connect.
For now, I have written my own NSS and PAM modules, but it would
be better to decouple the time-consuming work of querying the data
I was wondering whether third-party backends can be written for
sssd? I cannot find documentation on that.
Cheers and thank you,