[SSSD]id_provider = ad ; ldap_disable_range_retrieval = false; why getent group limited to 1500 members?

Bob Green via sssd-devel Thu, 05 Dec 2024 15:59:43 -0800

sssd correctly identifies that an account is a member of a large 1501+
member AD group via "id <account>".  However getent group
<1501+_member_group> does not list the account.  Only the first 1500
members are displayed. Is this a limitation of getent group ? Or is
there a way to configure sssd to display all group members via getent
group <group>?


AD groups are not nested.
OS: SUSE Linux Enterprise Server 12 SP5
sssd version: 1.16.1  Release: 7.65.1

# cat /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = DOM.CORP.COM

[domain/DOM.CORP.COM]
entry_cache_timeout = 14400
refresh_expired_interval = 10800
cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = simple
dyndns_update = false
full_name_format = %1$s
use_fully_qualified_names = false
ldap_referrals = false
ldap_id_mapping = false
ldap_disable_range_retrieval = false
ldap_force_upper_case_realm = true
ldap_group_nesting_level = 0
ldap_use_tokengroups = false
ldap_search_base = OU=my_ou,DC=dom,DC=corp,DC=com
krb5_canonicalize = false
krb5_validate = false

Thanks,
Bob
-- 
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[SSSD]id_provider = ad ; ldap_disable_range_retrieval = false; why getent group limited to 1500 members?

Reply via email to