On 06/04/15 14:03, Fox, Kevin M wrote:
Some kind of intermediate mapping might be better. With ldap, I dont
have control over the groups users are assigned since thats an
enterprise/AD thing. There can be a lot of them. Groups to Role
relations I guess do that mapping. Though maybe passing groups directly
when domains can have different group meanings might be a big problem.
Agreed, and this has caused problems for other systems in the past.
For example the traditional AUTH_SYS as used by RPC for NFS only allowed
a user to be in 16 groups because that was all the payload could hold.
As more people moved from NIS to LDAP (and for some even when in NIS or
NIS+) 16 groups was a big issue.
Now modern Linux and Solaris kernels support a user being in 1024 groups
by having the consumer (the NFS server usually) check with the directory
server (usually LDAP) when the list is exactly 16 groups.
So we know it is already common for LDAP directories to have users in a
significant number of groups.
--
Darren J Moffat
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
