-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/22/2010 07:25 PM, GOLLSCHEWSKY, Tim wrote:
Hi Sumit,
Thanks for your response.
> On Tue, Dec 21, 2010 at 04:02:14PM +1000, GOLLSCHEWSKY, Tim wrote:
>> Hi all.
>>
>> I'm running sssd on RHEL6 and seem to have a problem seeing
secondary/auxiliary groups for logged in users.
[snip]
>>
>> Could it be because our AD has many more than 1000 users and 1000 groups? If so,
if there any way to increase this limit?
>
> AD only sends 1000 entries at a time. This is called paging and we plan
> to support paging with sssd 1.6 (see trac ticket #658). With this large
> amount of users and groups I would recommend to set 'enumerate = false',
> because for most of the typical uses cases this should be sufficient.
OK, I've done some more testing and I believe I've found the issue.
My original testing was on RHEL6, which currently ships with v1.2.1 of sssd. This
version doesn't show the aux groups no matter what I do with "enumerate" or
if I restrict my ldap_group_search_base to a filter than returns less than 1000 groups.
The way I got things to work was by downloading the stock RHEL6 SRPM and rebuilding it
with sssd v1.2.2. So I guess somewhere in v1.2.1 -> v1.2.2 there was a patch to fix
the auxillary group search in LDAP.
Note, this works now whether "enumerate" is set to true or false.
Looks like I have to wait until RHEL6 supports sssd v1.2.2 or higher before we can
migrate our server fleet to RHEL6.
What version of the SSSD package are you using in RHEL6?
sssd-1.2.1-28.el6_0.4 should contain all fixes from 1.2.2 backported.
Specifically, the group fixes should have been pulled into
sssd-1.2.1-28.el6_0.1
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk0TSmMACgkQeiVVYja6o6MI1gCfV1kAr3C1MrzC0PXF5VqujYFh
VRUAn1T2SnxQPn8t+OyhBockNPmMmEj+
=ylW1
-----END PGP SIGNATURE-----