On Mon, 26 Jul 2010 09:33:22 -0400 Stephen Gallagher <[email protected]> wrote:
> I was discussing this with Dmitri this morning. I propose that we > should probably do the following: > > After retrieving the user entry, verify whether the entry contains at > least one memberOf attribute. If it does, continue processing as we do > now (since it will be more efficient). If not, then we should slip > into compatibility mode where we will search all groups for > member=<userdn> > > Does this seem sensible? yes and no. Actually we should really have a switch that tells us whether we fully trust memberof to give us the complete picture (IPA case) or if we should use it only as a hint (AD and servers that do not use memberof at all). In AD for example we currently return only direct memberships because in AD member/memberof are linked attributes, this means memberof does not contains DNs of indirect group memberships. I believe eDirectory is probably the same even when their memberof-equivalent attribute is set (assuming they support nesting at all). Of course we can also have a switch to allow searching for nested groups or not, so that we do not cause unnecessary searches on deployments that do not use any form of nesting. The parameter should actually probably be an integer that determines the level of nesting we allow to search at runtime, with 0 meaning none and any other value up to a maximum we define allowing deeper and deeper nesting. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
