jhrozek commented on a pull request
""" On Wed, Aug 31, 2016 at 07:15:10AM -0700, lslebodn wrote:
On (31/08/16 01:47), sumit-bose wrote:
On Wed, Aug 31, 2016 at 01:30:12AM -0700, Jakub Hrozek wrote:
On Wed, Aug 31, 2016 at 12:36:37AM -0700, sumit-bose wrote:
On Tue, Aug 30, 2016 at 12:36:20PM -0700, Jakub Hrozek wrote:
On Tue, Aug 30, 2016 at 11:47:09AM -0700, lslebodn wrote:
About the discussion I saw on #sssd in backscroll, the rfc2307bis schema only uses the member attribute because IIRC the RFC doesn't talk about memberof at all. But in IPA, we know the specifics on the schema, so we are able to dereference the memberof attribute to get a complete list of all groups with one call.
Unfortunately it is more complicated with IPA because memberOf only contains the direct memberships, there is a second attribute memberofindirect which hold the indirect memberships.
This is only how IPA UI displays indirect memberships, if you check the memberships with ldapsearch, you'll see it's really only memberof.
bummer, you are right, I thought the --raw option of ipa user-show really means 'raw' but it looks some of the values are still processed.
Sorry for the noise.
I haven't found any regression caused by this patch. So at least; issues in ipa-trust test are not caused by this bug.
CI: http://sssd-ci.duckdns.org/logs/job/52/88/summary.html
"""
See the full comment at https://github.com/SSSD/sssd/pull/7#issuecomment-244052286
sssd-devel@lists.fedorahosted.org