[Freeipa-devel] [RFC] Sending group-memberships to SSSD clients
Jakub Hrozek
jhrozek at redhat.com
Tue Jun 17 12:38:24 UTC 2014
On Mon, Jun 02, 2014 at 03:03:19PM +0200, Sumit Bose wrote:
> Hi,
>
> I'm preparing a design page for
> https://fedorahosted.org/freeipa/ticket/4031 "[RFE] Support initgroups
> for unauthenticated AD users".
>
> Since we are using SSSD in ipa-server-mode in the server, the IPA server
> is able to resolve group memberships even if the user is not
> authenticated. To make the information available to the client the
> extdom plugin should be enhanced to send the information from the server
> to the clients.
>
> My question is, what would be the best type of data to send to the
> clients. The obvious first answer is a list if GIDs. But since we have
> views this would require additional processing and LDAP lookups on the
> server side. As an alternative we can send a list of fully qualified
> group names or a list of SIDs (as long as we are only looking at trust
> to AD). Both are independent of the view, but would require additional
> lookups from the client for the GID if the group with the given fully
> qualified name or SID is not already in the cache. But this will
> basically only happen if the cache is empty, which the additional
> processing due to user-views on the server would happen on every request
> if we only send the list of GIDs.
>
> So, I'm tending to the list of fully qualified names. Does anyone has
> concerns or other suggestions?
As an additional suggestion, I also think in server mode you can ignore
that the FQDN format is technically configurable and just use
user at domain, IIRC the SSSD in server mode should even disallow any other
format.
More information about the Freeipa-devel
mailing list