On Tue, 14 Jul 2015, Jan Pazdziora wrote:
On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote:
adm...@adx.test),1878600513(domain us...@adx.test),1634400007(ad_admins)

You wouldn't see this in the web UI because web UI is showing what is in
the LDAP, not what is visible in the system when SSSD evaluates the
group membership.

Would it make sense to have a way of running the SSSD evaluation from
the WebUI and showing the results there? Clearly distinguished from
the LDAP data, yet exposed in the WebUI ...
Definitely not here. We have checks for HBAC rules with AD users that
explicitly take external group membership into account already.

Resolving AD group membership is time-consuming operation and adding it
into a normal path is going to slow down everything.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to