On Wed, Jan 15, 2020 at 07:59:13PM +0100, Samuel Cabrero wrote:
Hi,
I found the filtering of domain-local groups was implemented after a
change to query the group memberships from the LDAP server of the
domain the user belongs to instead of the global catalog, which had the
side effect of retrieving the DLGs of trusted domains [1].
This DLGs are cached but treated as non-POSIX gruops (no gid number
assigned and not returned), after the commit implementing the filter
[2].
I have found an use case where not filtering domain-local groups would
be useful. If you want to use group memberships in sudo rules to allow
temporary sudo access, the replication latency of global groups is very
high and can take up to 15 minutes, but using domain local groups
replication is done in less than one minute.
Would you willing to accept a patch adding a new parameter to disable
the filtering of DLGs?
Hi,
in general yes, especially since I have such a patch already from some
time in my tree
https://github.com/sumit-bose/sssd/commit/bb26e67e6e351c46acbc32402254cc7....
We were asked to implement such option in
https://bugzilla.redhat.com/show_bug.cgi?id=1756240. I didn't create a
pull-request yet because it might be necesary to disable global catalog
lookups at the same time (at least if the patch is applied to older
versions of SSSD which uses the GC more often).
bye,
Sumit
Regards,
[1]
https://pagure.io/SSSD/sssd/issue/2161
[2]
https://pagure.io/SSSD/sssd/issue/2178
--
Samuel Cabrero / SUSE Labs Samba Team
GPG: D7D6 E259 F91C F0B3 2E61 1239 3655 6EC9 7051 0856
scabrero(a)suse.com
scabrero(a)suse.de
_______________________________________________
sssd-devel mailing list -- sssd-devel(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahoste...