On Wed, Feb 10, 2016 at 09:42:28AM +0100, Jakub Hrozek wrote: > On Tue, Feb 09, 2016 at 11:58:46AM +0100, Winfried de Heiden wrote: > > Hi all, > > > > Using an Active Directory Trust with IPA all works fine but there's an > > disadvantage: it might brong in lots and lots of groups I am not > > interested in since it mainly hit Windows and/or Office stuff. > > Why are you concerned about this in the first place? Is it about > performance needed to process these groups or about resources that can > be owned by these groups? > > > > > Now, is it possible to filter AD-groups? or: can I use an AD search base > > filter? (something like cn=linuxgroups,ou=allgroups,dc=example,dc=com) > > Not at the moment, the subdomains are autoconfigured and not > configurable.
Additionally please note that some of the more advances schemes we use for group-membership lookups in AD like PAC data or the tokenGroups request just return all groups a user is a member of in a single call, no need to walk through the AD directory tree to resolve nested groups. We still have to look up the groups to get their name and maybe the GID but if we would apply a filter we had to look them up as well because we only know the SID. Falling back to a different scheme would not improve the situation performance wise because we have to read all groups even the outside the given search base to be able to resolve nested groups correctly. HTH bye, Sumit > > > > > On a small scale ID views can be used, but it not a great solution. (for > > all new groups appearing in AD the ID view must be modified) > > > > Some sugestions or documentation on filtering AD groups? > > > > Winny > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project