In the generic case, the DN might simply look like
"cn=name,ou=accounts,dc=example,dc=com" and then only a lookup can tell if
it's a user or a group.
What I was telling Tim earlier was that we might want to do the LDAP-search based
heuristics also in cases when the group and user containers are distinct, > such as
"ou=Users,dc=example,dc=com" and "ou=Groups,dc=example,dc=com".
Just to add to this, I think a lot of organisations with largeish AD directories would
have their set up like this (Accounts and Groups in separate OUs). It's just too
messy to do it otherwise.
It sounds like this happens by default with IPA, if there was some way we could enable
this for AD as well (perhaps with a config option that specified the OUs for Accounts and
Groups), this would save SSSD from doing the ldap searches just to distinguish if the
record is a user or group, and would be a huge win for performance.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.