I've raised https://github.com/SSSD/sssd/issues/5310
1. group lookups are inaccurate for groups with > 1500 members. Once that
condition hits, is it inaccurate for all memberships of all groups,
the specific groups with > 1500 members?
It only applies to groups with > 1500 (AD's MaxValRange) member attributes.
2. Are you using tokengroups? Or does this happen whether or not you
ldap_use_tokengroups is enabled by default for AD. I think I disabled
tokengroups in one round of testing, but it either made no difference, or
broke behaviour is some other way.
On Tue, 8 Sep 2020 at 07:10, Sumit Bose <sbose(a)redhat.com> wrote:
On Mon, Sep 07, 2020 at 05:57:13PM +0100, R Davies wrote:
>When enumeration is enabled (required due to legacy application), and
>a group has > 1500 members, and AD's MaxValRange is at the default 1500,
>then sssd fails to show more than 1500 group members. Group lookups are
>A further interesting aspect is that if the sssd cache is expired (sssctl
>cache-expiry -E), then the correct group membership is shown until such
>time as enumeration is processed again (i.e. at most
>ldap_enumeration_refresh_timeout + memcache_timeout)
>src/providers/ldap/sdap.c's sdap_parse_entry() states:
>/* This attribute contained range values and needs more to
>> * be retrieved
>> /* TODO: return the set of attributes that need additional retrieval
>> * For now, we'll continue below and treat it as regular values.
>As enumeration is enabled the subsequent ASQ/deref work is never
>undertaken. As such sssd only ever processes the initial range retrieved
>members (0-1499) (NB that nested groups members are evaluated).
there is a fair change that the range handling is missing in a code-path
used by enumeration. Please open a ticket at
for further investigations.
>We have looked at the relevant source code, but can't find a way to
>Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd
>configuration settings (other than disabling enumeration - which we sadly
>cannot do) appears to change this behaviour. Increasing MaxValRange on AD
>defeats the purpose of having MaxValRange.
>Has anyone run into this before? Or, should I raise a new issue?
>sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct:
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines