On Tue, Sep 23, 2014 at 04:40:25PM +0200, Pavel Reichl wrote: > > On 09/09/2014 10:41 PM, Jakub Hrozek wrote: > >Hi, > > > >the attached patch enables cross-domain group lookups. > > > >Even though AD trusts often work with POSIX attributes which are > >normally not replicated to GC, our group lookups are smart since commit > >008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using > >the LDAP connection and only use the GC connection to look up the members. > > > >I tested the patch with trusts that use ID-mapping, there the > >cross-domain memberships are resolved fine. > > > >For setups that use POSIX mapping, only the members from the domain that > >the group belongs to is visible -- that is because the AD back end > >currently tests if POSIX attributes are in use and if they are, GC > >support is completely disabled. Perhaps this is something to work on in > >1.13 when we refactor the group membership, but for now I'd like to keep > >the patch (and associated risk) minimal. > > > > > >_______________________________________________ > >sssd-devel mailing list > >sssd-devel@lists.fedorahosted.org > >https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > ACK
Thank you for the review, pushed upstream: * master: a20ce8cd43d72c89e2ea1d65aefe24ba270f040f * sssd-1-11: 16e2463e4f9ef93825b8f00f4ab1a1c9158eee82 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
