> with LDAP, recursively searching for all nested subgroups, sub-sub-groups, > etc. -- that can be an expensive operation. > > the default ldap_group_nesting_level is 2. You might try to set that to > some larger number (like 5 or 6) to see if it makes any difference.
So... We divide users into different teams (groups): e.g sysadmins, testers, etc. and then give these groups membership to other groups rather than the user directly. So, according to my understanding a nesting level of 2 should be enough? However, when I run getent group testers, I don't get any results unless I give a specific user membership to that group. What I want: IPA: group: sysadmins member: user1 member: user2 member: user3 group: prod member: sysadmins getent group prod prod:<GID>: user1,user2,user3 > If you're connecting to AD, there's an optimization that's not expensive > (to clients doing LDAP searches) called 'tokengroups'. IPA is being used as out LDAP server. It's working for my old clients using nlscd and nscd, but not for newer using SSSD... -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
