On Mon, Jun 02, 2014 at 03:03:19PM +0200, Sumit Bose wrote: > Hi, > > I'm preparing a design page for > https://fedorahosted.org/freeipa/ticket/4031 "[RFE] Support initgroups > for unauthenticated AD users". > > Since we are using SSSD in ipa-server-mode in the server, the IPA server > is able to resolve group memberships even if the user is not > authenticated. To make the information available to the client the > extdom plugin should be enhanced to send the information from the server > to the clients. > > My question is, what would be the best type of data to send to the > clients. The obvious first answer is a list if GIDs. But since we have > views this would require additional processing and LDAP lookups on the > server side. As an alternative we can send a list of fully qualified > group names or a list of SIDs (as long as we are only looking at trust > to AD). Both are independent of the view, but would require additional > lookups from the client for the GID if the group with the given fully > qualified name or SID is not already in the cache. But this will > basically only happen if the cache is empty, which the additional > processing due to user-views on the server would happen on every request > if we only send the list of GIDs. > > So, I'm tending to the list of fully qualified names. Does anyone has > concerns or other suggestions?
As an additional suggestion, I also think in server mode you can ignore that the FQDN format is technically configurable and just use user@domain, IIRC the SSSD in server mode should even disallow any other format. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
