[Freeipa-devel] [RFC] Sending group-memberships to SSSD clients
Simo Sorce
simo at redhat.com
Mon Jun 2 13:29:49 UTC 2014
On Mon, 2014-06-02 at 15:03 +0200, Sumit Bose wrote:
> Hi,
>
> I'm preparing a design page for
> https://fedorahosted.org/freeipa/ticket/4031 "[RFE] Support initgroups
> for unauthenticated AD users".
>
> Since we are using SSSD in ipa-server-mode in the server, the IPA server
> is able to resolve group memberships even if the user is not
> authenticated. To make the information available to the client the
> extdom plugin should be enhanced to send the information from the server
> to the clients.
>
> My question is, what would be the best type of data to send to the
> clients. The obvious first answer is a list if GIDs. But since we have
> views this would require additional processing and LDAP lookups on the
> server side. As an alternative we can send a list of fully qualified
> group names or a list of SIDs (as long as we are only looking at trust
> to AD). Both are independent of the view, but would require additional
> lookups from the client for the GID if the group with the given fully
> qualified name or SID is not already in the cache. But this will
> basically only happen if the cache is empty, which the additional
> processing due to user-views on the server would happen on every request
> if we only send the list of GIDs.
>
> So, I'm tending to the list of fully qualified names. Does anyone has
> concerns or other suggestions?
List of qualified group names only .. +1
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list