On Tue, Sep 22, 2015 at 02:03:09PM +0200, Michael Ströder wrote:
> Michael Ströder wrote:
> > Jakub Hrozek wrote:
> >> On Mon, Sep 21, 2015 at 07:02:05PM +0200, Michael Ströder wrote:
> >>> Is it possible to let sssd always fetch all user entries by using the
> >>> dereference control on all visible groups?
> >>>
> >>> ldap_deref_threshold = 1 ?
> >>
> >> Yes, this should do the trick with rfc2307bis or derivatives (IPA, AD,
> >> ..)
> >
> > Hmm, I still see searches with filter
> > (&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))
> > sent by sssd (currently testing with 1.13.0, see config below).
> >
> > I had hoped to switch off user searches completely at least after
> > initializing
> > the cache. Do I have to tweak caching/enumeration parameters?
>
> For the records:
>
> It seems with enumerate = false the behaviour is more like what I want to
> achieve.
Ah, sorry, I missed that you're trying to use enumerate=true. Yeah, that
doesn't use deref, the code is actually much simpler:
* ldapsearch all users
* ldapsearch all groups
* establish the user-group memberships in the cache
>
> At least if sssd queries the group entry first (caused by getent group name)
> there is absolutely no query with filter (objectClass=posixAccount).
Yep, we search the group entry and then dereference its members.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
