-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPA: Use dereference for host groups even if the configuration disables dereference #773
Conversation
Hi, this is not a full review, but I think the man page for ldap_deref_threshold needs to specify that the option does not apply for HBAC rules. |
Thanks, I amended the man page. |
by setting the value to 0. There are some | ||
codepaths in SSSD, notably the IPA HBAC provider, | ||
that are only implemented with HBAC in mind and | ||
where disabling dereference will have no effect. | ||
</para> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that are only implemented with HBAC in mind
does not make any sense to me.
Code wise ack. But the man page change is not understandable to me. |
Related: https://pagure.io/SSSD/sssd/issue/3979 In some cases, it makes sense for performance reasons to disable dereference when processing user groups. But since processing of HBAC host groups is not much of a performance sensitive operation, we can get away with ignoring the client side setting and always using the dereference branch if the server supports the dereference call. This patch extends the sdap_has_deref_support call with a flag that allows the caller to bypass the client side check.
…es dereference Related: https://pagure.io/SSSD/sssd/issue/3979 In some cases, it makes sense for performance reasons to disable dereference when processing user groups. But since processing of HBAC host groups is not much of a performance sensitive operation, we can get away with ignoring the client side setting and always using the dereference branch if the server supports the dereference call.
Thank you, manpage updated. |
Thank you. Ack. |
Related: https://pagure.io/SSSD/sssd/issue/3979
In some cases, it makes sense for performance reasons to disable
dereference when processing user groups. But since processing of HBAC host
groups is not much of a performance sensitive operation, we can get away
with ignoring the client side setting and always using the dereference
branch if the server supports the dereference call.