On Mon, 26 Jul 2010 09:33:22 -0400
Stephen Gallagher <sgall...@redhat.com> wrote:

> I was discussing this with Dmitri this morning. I propose that we
> should probably do the following:
> After retrieving the user entry, verify whether the entry contains at
> least one memberOf attribute. If it does, continue processing as we do
> now (since it will be more efficient). If not, then we should slip
> into compatibility mode where we will search all groups for
> member=<userdn>
> Does this seem sensible?

yes and no.

Actually we should really have a switch that tells us whether we fully
trust memberof to give us the complete picture (IPA case) or if we
should use it only as a hint (AD and servers that do not use memberof
at all).

In AD for example we currently return only direct memberships because
in AD member/memberof are linked attributes, this means memberof does
not contains DNs of indirect group memberships.

I believe eDirectory is probably the same even when their
memberof-equivalent attribute is set (assuming they support nesting at

Of course we can also have a switch to allow searching for nested
groups or not, so that we do not cause unnecessary searches on
deployments that do not use any form of nesting.

The parameter should actually probably be an integer that determines
the level of nesting we allow to search at runtime, with 0 meaning none
and any other value up to a maximum we define allowing deeper and
deeper nesting.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to