You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When enumeration is enabled (required due to legacy application), and where a group has > 1500 members, and AD's MaxValRange is at the default 1500, then sssd fails to show more than 1500 group members. Group lookups are no
longer accurate.
A further interesting aspect is that if the sssd cache is expired (sssctl cache-expiry -E), then the correct group membership is shown until such time as enumeration is processed again (i.e. at most
ldap_enumeration_refresh_timeout + memcache_timeout)
/*
* This attribute contained range values and needs more to
* be retrieved
*/
/* TODO: return the set of attributes that need additional retrieval
* For now, we'll continue below and treat it as regular values.
*/
i.e. that range retrieval is not implemented, but group that would require range retrieval would be processed by subsequent ASQ/deref queries.
With enumeration enabled the subsequent ASQ/deref processing is never undertaken. As such sssd only ever processes the initial range retrieved members (0-1499) (NB that nested groups members are evaluated).
We have looked at the relevant source code, but can't find a way to trigger Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd configuration settings (other than disabling enumeration - which we sadly cannot do) appears to change this behaviour. Increasing MaxValRange on AD defeats the purpose of having MaxValRange.
The text was updated successfully, but these errors were encountered:
When enumeration is enabled (required due to legacy application), and where a group has > 1500 members, and AD's MaxValRange is at the default 1500, then sssd fails to show more than 1500 group members. Group lookups are no
longer accurate.
A further interesting aspect is that if the sssd cache is expired (sssctl cache-expiry -E), then the correct group membership is shown until such time as enumeration is processed again (i.e. at most
ldap_enumeration_refresh_timeout + memcache_timeout)
src/providers/ldap/sdap.c's sdap_parse_entry() states:
i.e. that range retrieval is not implemented, but group that would require range retrieval would be processed by subsequent ASQ/deref queries.
With enumeration enabled the subsequent ASQ/deref processing is never undertaken. As such sssd only ever processes the initial range retrieved members (0-1499) (NB that nested groups members are evaluated).
We have looked at the relevant source code, but can't find a way to trigger Attribute Scope Queries (ASQ)/deref. Indeed, no manner of sssd configuration settings (other than disabling enumeration - which we sadly cannot do) appears to change this behaviour. Increasing MaxValRange on AD defeats the purpose of having MaxValRange.
The text was updated successfully, but these errors were encountered: