Hi guys, > On Thu, 2011-11-03 at 09:51 +0100, Jakub Hrozek wrote: > > On Thu, Nov 03, 2011 at 04:08:51PM +1000, GOLLSCHEWSKY, Tim wrote: > > > Are these options used anywhere? > > ldap_group_search_scope > > > ldap_group_search_filter > > > > > As Jan noted, these options will be deprecated in 1.7 and onwards. But > > even in the current releases, they only limit the initial user/group > > lookup (getent passwd/group), not group membership during initgroups. > > > > I'd like to point out that https://fedorahosted.org/sssd/ticket/960 will also > probably handle this for you. As an > add-on to > https://fedorahosted.org/sssd/ticket/868 (which handles multiple search bases > with individual lookup filters), we > will be able to properly filter out > users and groups that don't match the search base and filter. > > So I think that in 1.7.0, your issue will be solved by doing: > > ldap_group_search_base = > dc=example,dc=com?subtree?(|(cn=group1)(cn=group2)(cn=group3)) > > And the result will be that you will only see groups that match the > aforementioned filter, > even for nested groups with DN lookups.
Can I please confirm that this functionality did indeed get added to sssd 1.7.0? I should be able to do this now (if I can get 1.7.0 working. :) Best regards, Tim Gollschewsky. This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp". Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au. The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
