When openldap is configured to make use of the dynlist module it can update the member and memberOf population recursively for nested groups by just quering with a searchfilter memberOf for it.
This should eliminates the need for nested group searches because it returns all memberships
Similar: issue: 2409
Can we have a setting to enable this like LDAP_MATCHING_RULE_IN_CHAIN for AD
Am Fri, Aug 19, 2022 at 02:02:00PM +0200 schrieb Erik de Waard:
When openldap is configured to make use of the dynlist module it can update the member and memberOf population recursively for nested groups by just quering with a searchfilter memberOf for it.
This should eliminates the need for nested group searches because it returns all memberships
Hi,
would you mind to open this request as an RFE at https://github.com/SSSD/sssd/issues/new?
I'm not familiar with the details of the dynlist module, but if I understand it correctly everything happens on the server side and the client just has to ask for the related attribute, i.e. memberOf. In this case I wonder if setting
ldap_group_nesting_level = 0
in the [domain/...] section of sssd.conf would already be sufficient?
bye, Sumit
Similar: issue: 2409
Can we have a setting to enable this like LDAP_MATCHING_RULE_IN_CHAIN for AD
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-devel@lists.fedorahosted.org
-
Erik de Waard -
Sumit Bose