Michael Ströder wrote:
Jakub Hrozek wrote:
> On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
>> Is it possible to let sssd always fetch all user entries by using the
>> dereference control on all visible groups?
>>
>> ldap_deref_threshold = 1 ?
>
> Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD,
> ..)
Hmm, I still see searches with filter
(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))
sent by sssd (currently testing with 1.13.0, see config below).
I had hoped to switch off user searches completely at least after initializing
the cache. Do I have to tweak caching/enumeration parameters?
For the records:
It seems with enumerate = false the behaviour is more like what I want to achieve.
At least if sssd queries the group entry first (caused by getent group name)
there is absolutely no query with filter (objectClass=posixAccount).
Ciao, Michael.