[Freeipa-users] AD users not visible in FreeIPA mapped group
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 14 08:06:20 UTC 2015
On Tue, 14 Jul 2015, Jan Pazdziora wrote:
>On Tue, Jul 14, 2015 at 09:46:00AM +0300, Alexander Bokovoy wrote:
>> admins at adx.test),1878600513(domain users at adx.test),1634400007(ad_admins)
>>
>> You wouldn't see this in the web UI because web UI is showing what is in
>> the LDAP, not what is visible in the system when SSSD evaluates the
>> group membership.
>
>Would it make sense to have a way of running the SSSD evaluation from
>the WebUI and showing the results there? Clearly distinguished from
>the LDAP data, yet exposed in the WebUI ...
Definitely not here. We have checks for HBAC rules with AD users that
explicitly take external group membership into account already.
Resolving AD group membership is time-consuming operation and adding it
into a normal path is going to slow down everything.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list