[SSSD-users]Re: SSSD with rfc2307bis causes thousands of concurrent LDAP queries, triggering OpenLDAP flow control

Tue, 22 Jul 2025 16:55:15 -0700 

On 7/22/25 16:00, Gregory Carter via sssd-users wrote:
https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__unofficialaciguide.com_2019_07_31_ldap-2Dschemas-2Dfor-2Daci-2Dadministrators-2Drfc2307-2Dvs-2Drfc2307bis_&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=fghJVQYUm5Bpopzx-I3fjRWs7UzLCKrjRZjZsy8HplPDfN9gXM_f4F5y4lKS3YqG&s=_OVo7RDoglen8Nxd4pOic8TRxtAaB9p23oo1ojGMHY8&e=> "In the RFC2307 compatibility layer, we have no memberOf or anything similar to use for identifying group membership. But we do have the “uid=ldapy” attribute. If we wanted to set ACI policy based on this information, we would have to authenticate the user, grab the UID attribute, then compare it to a specific group’s list of memberUIDs (or search through all groups to find which one has the correct memberUID)." 


Ironically, perhaps this is something SambaAD compensates for, which I 
defined as RFC2307 for our schema, but I see memberOf definitions in 
my users anyway so the above scenario may not apply.



So what is your directory server and if you could check your schema 
definition and see if there are any memberOf definitions?  Or is it a 
straight uid?



OpenLDAP  2.5.20, using RFC2307bis schema, so there does exist memberOf 
values. Which brings up another very good question. Why must a 
"member=<userDN>" be used to fetch groups for RFC2307bis data when 
memberOf was specifically designed to alleviate the performance problems 
caused by "member=" lookups?


--
Chris Paul | Rex Consulting |https://www.rexconsulting.net

-- 
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue























					Reply via email to