rpms / sssd

Clone
Source Code
GIT

Files

el5 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   f20
  2.   0008-LDAP-Disable-token-groups-by-default.patch
Blob Blame History Raw 
From 708c6bb6e4b18c972aa08695dbb0810242f53d5c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Fri, 7 Nov 2014 13:58:17 +0100
Subject: [PATCH 08/45] LDAP: Disable token groups by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We tried to speed up processing of initgroup lookups with tokenGroups even for
the LDAP provider (if remote server is Active Directory), but it turns out that
there are too many corner cases that we didn't catch during development that
break. For instance, groups from other trusted domains might appear in TG and
the LDAP provider isn't equipped to handle them.

Overall, users who wish to use the added speed benefits of tokenGroups are
advised to use the AD provider.

Resolves:
https://fedorahosted.org/sssd/ticket/2483

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 5febf5ed0cfb4ba7665d8c3e36ee6941988da773)
---
 src/man/sssd-ldap.5.xml        | 2 +-
 src/providers/ldap/ldap_opts.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index ecbf2f54c189ab91e797c2ddf05b209cab43c6c3..557cafcb223a35f9dd61d9761bea29c75613c6c0 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -991,7 +991,7 @@
                           Active Directory Server 2008 and later.
                         </para>
                         <para>
-                            Default: True
+                            Default: True for AD and IPA otherwise False.
                         </para>
                     </listitem>
                 </varlistentry>
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 82d46e75d59f0a124ff40e33043de552a9f06453..83dae85145420b1ef079157b77fa7506bff9b728 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -114,7 +114,7 @@ struct dp_option default_basic_opts[] = {
     { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-    { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
+    { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE},
     { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
-- 
2.4.3
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.