Re: disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)
On Wed, Jan 27, 2016 at 4:07 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Jan 26, 2016 at 05:50:06PM -0500, James Ralston wrote:
It's a long story, but what we are trying to do here is to take regular snapshots of our AD users and groups, and sssd's getpwnam()/getgrnam() mapping is the perfect way to do it. I think I understand why distribution groups are filtered by default (they're not security-enabled in AD, and can't be used in Windows ACLs), but in this one particular case, we really do want to be able to enumerate every single group.
can you try setting: ldap_group_type = nosuchattr ?
That should trick sssd into not seeing the group type at all and would avoid filtering I guess (not tested).
Unfortunately, this doesn't work: if sssd can't determine the group type, it filters ALL groups, instead of filtering no groups.
Hmmm. If sssd can't determine the group type, wouldn't it be better to filter no groups, instead of all groups? Because filtering all groups is essentially the same thing as disabling group lookups entirely. That doesn't seem like the best behavior to choose.
Then again, maybe a cleaner approach would be to add a ldap_group_filtering option, and make the default value true (filter groups that aren't security groups)? Tricking sssd by telling it to look at the wrong field for the group type seems like a hack. :-(
On 27 Jan 2016, at 20:09, James Ralston ralston@pobox.com wrote:
On Wed, Jan 27, 2016 at 4:07 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Jan 26, 2016 at 05:50:06PM -0500, James Ralston wrote:
It's a long story, but what we are trying to do here is to take regular snapshots of our AD users and groups, and sssd's getpwnam()/getgrnam() mapping is the perfect way to do it. I think I understand why distribution groups are filtered by default (they're not security-enabled in AD, and can't be used in Windows ACLs), but in this one particular case, we really do want to be able to enumerate every single group.
can you try setting: ldap_group_type = nosuchattr ?
That should trick sssd into not seeing the group type at all and would avoid filtering I guess (not tested).
Unfortunately, this doesn't work: if sssd can't determine the group type, it filters ALL groups, instead of filtering no groups.
Interesting, I need to test this locally. I hope to find some time tomorrow, if not, feel free to bump this thread again.
Hmmm. If sssd can't determine the group type, wouldn't it be better to filter no groups, instead of all groups? Because filtering all groups is essentially the same thing as disabling group lookups entirely. That doesn't seem like the best behavior to choose.
Then again, maybe a cleaner approach would be to add a ldap_group_filtering option, and make the default value true (filter groups that aren't security groups)? Tricking sssd by telling it to look at the wrong field for the group type seems like a hack. :-( _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
James Ralston