On Tue, 2012-06-12 at 10:50 +0200, Jan Zelený wrote: > > On Mon, 2012-06-11 at 21:19 -0400, Stephen Gallagher wrote: > > > New patches attached, along with the results of my (limited) > > > performance > > > testing. > > > > > > These patches split the option into two, so it can be enabled for > > > initgroups or group lookups separately. The testing I did on group > > > lookups seems to suggest that it's a distinct performance hit. > > > > I'm wondering if we shouldn't try at least the initgroups by default. > > What's the error for servers that do not recognize the syntax ? > > Can we 'probe' the syntax at connection time (like we check for the > > rootdse) and set a flag about whether it work or not ? > > > > That way we can set at least ldap_initgroups_use_matching_rule_in_chain > > = auto or similar by default and have the benefit any time the option is > > available w/o forcing the admins to find out. > > It would be a pretty obscure toggle anyway, very few would take benefit > > if we do not find a way to auto-discover it. > > > > Simo. > > The auto-discovery is possible to some degree but a bit ugly. You can do > following search [1]: > > base: CN=<domain_name>,OU=Domain Controllers,<suffix> > scope: base > attributes: operatingSystemVersion, operatingSystemServicePack > > And then use following condition to detect if server supports the feature > (the > code is not accurate, it only demonstrates the idea. Some processing of both > attributes would be necessary beforehand): > > if ((operatingSystemVersion == 3790 && > operatingSystemServicePack >= 2) || > operatingSystemVersion > 3790) > return true; > else > return false;
This would probably fail with samba that fakes up the version reported. No I was talking about actually probing the functionality. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel