No problem.
I think the answer is, lots of legacy functions that really were written on the
assumption that resolving this sort of information was really cheap, often
optimised for just ripping through a local passwd/group file. Don't blame
SSSD. Rather than code querying who was a member of a group, it'd simply
enumerate all of the groups a user was a member of, which creates this hideous
case with recursive LDAP lookups, when you're then expected to fully populate
objects for each of these groups, which contain membership information of them.
You can't know whether a member is a user or a group either, without looking
them up, so it really is horrible, and hard to fix, if you're using those
functions and expect them to return correct information.
SSSD nicely includes this tweak, which effectively lies when you ask who is a
member of a group, by saying "nobody". Which on one hand is odd, because the
only reason I looked in the group was because I know the user I'm looking up is
a member of it! As long as codes look at which groups the user is a member of,
rather than doing the inverse, everything ticks along fine.
That's my understanding anyway, but I'm not an expert.
John
--
John Hodrien (he/him)
Principal Teaching and Research Support Specialist, School of Computer Science
2.22 Bragg Building, University of Leeds
________________________________
From: Christopher Paul <chris.p...@rexconsulting.net>
Sent: 22 July 2025 22:45
To: John Hodrien <j.h.hodr...@leeds.ac.uk>; sssd-users@lists.fedorahosted.org
<sssd-users@lists.fedorahosted.org>
Subject: Re: [SSSD-users]Re: SSSD with rfc2307bis causes thousands of
concurrent LDAP queries, triggering OpenLDAP flow control
CAUTION: External Message. Use caution opening links and attachments.
On 7/22/2025 12:25 AM, John Hodrien wrote:
ignore_group_members (bool)
...
Hey John,
Thank you! That solves my problem. I owe you a beverage of your choice next
time I'm in London or you are in Oakland.
But I still wonder why, with "ignore_group_members false" a lookup for a single
user must do LDAP lookups for all the person and posixAccount attribute values
for EVERY member of a group to which a SINGLE user belongs to. That still seems
like sort of a bug to me.
--
Chris Paul | Rex Consulting |
https://www.rexconsulting.net<https://www.rexconsulting.net/>
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
