Hi,
On Thursday 09 September 2010 15:14:10 Ralf Haferkamp wrote:
[..]
I have started working on a patch to let sssd look up the non-cached
users via LDAP (and save them into the cache). Find it attached. Note:
That patch is not really complete (e.g. it doesn't handle rfc2307
groups correctly). But before putting more effort into this I like to
make sure that I am not trying to fix a "feature" here.
Find a newer version of my patch attached. Actually it's 3 patches now.
Please review.
Patch1: This just adds a new flag to save_groups() to indicate that the
group's member attribute is already populated with the members' sysdb
DN (instead on LDAP DNs). As I need to lookup the group members in
sysdb anyway, when processing the group, this saves some redundant
sysdb lookups when storing the group.
Patch2: This is a somewhat improved version of my last patch.
- better error handling
- limit the number of LDAP requests that are issued before
starting to process the results. This is especially needed when
dealing with large groups, otherwise the server might choke on us
(e.g. OpenLDAP has a (configurable) limit of 100 pending operations
per anonymous connection and 1000 per authenticated connection).
OTOH sending multiple LDAP request at once will speed up things a
bit compared to just sending the next request after processing the
result of the previous.
- populate the "member" attribute with the correct sysdb DNs to
utilize Patch1.
- limit the group unrolling to rfc2307bis for now. rfc2307 and IPA
need to be treated differently as discussed previously in this
thread.
Patch3: This adds a new config option to "ldap_unroll_group_members" to
enable/disable group unrolling
regards,
Ralf
--
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)