[Freeipa-devel] [RFC] Sending group-memberships to SSSD clients
Sumit Bose
sbose at redhat.com
Mon Jun 2 13:03:19 UTC 2014
Hi,
I'm preparing a design page for
https://fedorahosted.org/freeipa/ticket/4031 "[RFE] Support initgroups
for unauthenticated AD users".
Since we are using SSSD in ipa-server-mode in the server, the IPA server
is able to resolve group memberships even if the user is not
authenticated. To make the information available to the client the
extdom plugin should be enhanced to send the information from the server
to the clients.
My question is, what would be the best type of data to send to the
clients. The obvious first answer is a list if GIDs. But since we have
views this would require additional processing and LDAP lookups on the
server side. As an alternative we can send a list of fully qualified
group names or a list of SIDs (as long as we are only looking at trust
to AD). Both are independent of the view, but would require additional
lookups from the client for the GID if the group with the given fully
qualified name or SID is not already in the cache. But this will
basically only happen if the cache is empty, which the additional
processing due to user-views on the server would happen on every request
if we only send the list of GIDs.
So, I'm tending to the list of fully qualified names. Does anyone has
concerns or other suggestions?
Thank you.
bye,
Sumit
More information about the Freeipa-devel
mailing list