Hi, I'm sending this man page amendment on behalf of one of our users who suggested to improve the description of ignore_group_members.
>From 6c8cee6aeb6548bfc78d1ba2979a3ba8b002c522 Mon Sep 17 00:00:00 2001 From: John Dickerson <jedic...@iastate.edu> Date: Fri, 12 Dec 2014 10:38:10 +0100 Subject: [PATCH] MAN: Amend the description of ignore_group_members
The option description should hint that enabling this option may have a positive effect on access control, especially with large groups. See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example where ignoring the group members helped. --- src/man/sssd.conf.5.xml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 2002ccc7caf7013ead5b97c463fba46b734090ae..ac45f0a044b578210e13197d6ae0681ff2a24220 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1487,7 +1487,25 @@ fallback_homedir = /home/%u If set to TRUE, the group membership attribute is not requested from the ldap server, and group members are not returned when processing - group lookup calls. + group lookup calls, such as + <citerefentry> + <refentrytitle>getgrnam</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry> + or + <citerefentry> + <refentrytitle>getgrgid</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry>. + As an effect, <quote>getent group + $groupname</quote> would return the requested + group as if it was empty. + </para> + <para> + Enabling this option can also make access + provider checks for group membership + significantly faster, especially for groups + containing many members. </para> <para> Default: FALSE -- 2.1.0
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
