On Tue, Jul 26, 2016 at 01:51:56PM +0200, Sumit Bose wrote:
> On Mon, Jul 25, 2016 at 01:45:13PM +0200, Jakub Hrozek wrote:
> > On Thu, Jul 21, 2016 at 02:13:40PM +0200, Sumit Bose wrote:
> > > Hi,
> > >
> > > this is my suggestion to solve
https://fedorahosted.org/sssd/ticket/2948
> > > "Handle overriden name of members in the memberUid attribute".
> >
> > So far I read them to get a grasp of what they do, but didn't do a full
> > review. See some comments below.
> >
> > >
> > > The first two patches are for the IPA provider and make sure that all
> > > ghost members in a group get resolved because otherwise we cannot
> > > determine if the name is overridden or not. This adds an overhead to
> > > group lookups, especially for larger groups but I think it is an
> > > requirement which cannot be skipped.
> >
> > Right. But I wonder if we could skip it on-demand. Could we maybe check
> > if any views exist in the IPA domain at all and not resolve the members
> > if there are no idview data? I would guess that since this is SSSD on
> > the IPA server, then an additiona LDAP lookup might be cheaper than
> > resolving a full large group.
>
> Yes, that would be possible. But since this is about AD users I would
> prefer a different change.
>
> Since AD used RFC2307bis (member attribute with the DN of the member) we
> already read the user object from the AD GC when resolving the group but only
> ask for objectclass and samAccountName to be able to fill the ghost
> entry. If we would switch to the LDAP port, read the whole entry and
> save it to the chance there wouldn't be any ghost entries in the first
> place. But I wanted to avoid regressions in the common SDAP code at this
> time so I resolved the ghosts in a second step.
>
> But I guess it is worth to open a ticket to add either or both kinds of
> optimization.
OK, I hope with the timestamp cache, the performance impact would only
be during the first lookup.
Should I open that ticket or would you?
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org