Jakub Hrozek wrote: > On Tue, Sep 22, 2015 at 02:03:09PM +0200, Michael Ströder wrote: >> For the records: >> >> It seems with enumerate = false the behaviour is more like what I want to >> achieve. > > Ah, sorry, I missed that you're trying to use enumerate=true.
No problem. Actually enumerate = true was just in my local test installations. >> At least if sssd queries the group entry first (caused by getent group name) >> there is absolutely no query with filter (objectClass=posixAccount). > > Yep, we search the group entry and then dereference its members. The production sssd configuration has enumerate = false. Tested only with 1.13.0 so far. If it also reliably works with 1.9.6 I'm quite happy with it. Hm, in Æ-DIR [1] I also explicitly define the sudoers entries visible for a certain server group. Would be nice if I could use a deref spec like aeSrvGroup:aeVisibleSudoers to search for getting all sudoers entries more efficiently. I probably would have to implement an extra sssd backend similar to sssd-ipa for this. [1] http://www.stroeder.com/publications.html#gpn15 Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
