-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/23/2010 06:15 PM, Simo Sorce wrote: > On Fri, 23 Jul 2010 17:17:11 -0400 > Scott Duckworth <sduc...@clemson.edu> wrote: > >> I've learned that this attribute does exist in our tree, but it's not >> being populated when we add users to groups since our proxy user does >> not have rights to write groupMembership to users. I'm trying to >> find out if we can get our hands on native eDirectory tools that keep >> groupMembership of posixAccount and member of posixGroup in sync. >> >> Still, if groupOf/groupMembership is not required by rfc2307bis, it >> would be nice if SSSD did not require it. > > Yes, we should handle this gracefully, at least through an option. > >> If a user has a groupOf/groupMembership attribute pointing to a group >> outside of ldap_group_search_base, will this be handled gracefully? > > Yes, the entry will simply be ignored if not resolvable. > > Simo. >
I was discussing this with Dmitri this morning. I propose that we should probably do the following: After retrieving the user entry, verify whether the entry contains at least one memberOf attribute. If it does, continue processing as we do now (since it will be more efficient). If not, then we should slip into compatibility mode where we will search all groups for member=<userdn> Does this seem sensible? - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxNjp8ACgkQeiVVYja6o6MkagCfRVK6+fEOs/3PUp2HiGeACu4g iWYAoKkgwvH5wJooMh1MCuyUewrbu692 =vwp8 -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users