IPA: Use dereference for host groups even if the configuration disables dereference #773
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi, this is not a full review, but I think the man page for ldap_deref_threshold needs to specify that the option does not apply for HBAC rules. |
|
Thanks, I amended the man page. |
pbrezina
reviewed
Mar 27, 2019
| by setting the value to 0. There are some | ||
| codepaths in SSSD, notably the IPA HBAC provider, | ||
| that are only implemented with HBAC in mind and | ||
| where disabling dereference will have no effect. | ||
| </para> |
There was a problem hiding this comment.
that are only implemented with HBAC in mind does not make any sense to me.
|
Code wise ack. But the man page change is not understandable to me. |
Related: https://pagure.io/SSSD/sssd/issue/3979 In some cases, it makes sense for performance reasons to disable dereference when processing user groups. But since processing of HBAC host groups is not much of a performance sensitive operation, we can get away with ignoring the client side setting and always using the dereference branch if the server supports the dereference call. This patch extends the sdap_has_deref_support call with a flag that allows the caller to bypass the client side check.
…es dereference Related: https://pagure.io/SSSD/sssd/issue/3979 In some cases, it makes sense for performance reasons to disable dereference when processing user groups. But since processing of HBAC host groups is not much of a performance sensitive operation, we can get away with ignoring the client side setting and always using the dereference branch if the server supports the dereference call.
|
Thank you, manpage updated. |
|
Thank you. Ack. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related: https://pagure.io/SSSD/sssd/issue/3979
In some cases, it makes sense for performance reasons to disable
dereference when processing user groups. But since processing of HBAC host
groups is not much of a performance sensitive operation, we can get away
with ignoring the client side setting and always using the dereference
branch if the server supports the dereference call.