Jakub Hrozek wrote:
On Tue, Sep 22, 2015 at 02:03:09PM +0200, Michael Ströder wrote:
> For the records:
>
> It seems with enumerate = false the behaviour is more like what I want to achieve.
Ah, sorry, I missed that you're trying to use enumerate=true.
No problem. Actually enumerate = true was just in my local test installations.
> At least if sssd queries the group entry first (caused by getent
group name)
> there is absolutely no query with filter (objectClass=posixAccount).
Yep, we search the group entry and then dereference its members.
The production sssd configuration has enumerate = false. Tested only with
1.13.0 so far. If it also reliably works with 1.9.6 I'm quite happy with it.
Hm, in Æ-DIR [1] I also explicitly define the sudoers entries visible for a
certain server group. Would be nice if I could use a deref spec like
aeSrvGroup:aeVisibleSudoers to search for getting all sudoers entries more
efficiently. I probably would have to implement an extra sssd backend similar
to sssd-ipa for this.
[1]
http://www.stroeder.com/publications.html#gpn15
Ciao, Michael.