SSSD / sssd

Clone

87a6f8f AD: use LDAP for group lookups

3 files Authored by sbose 10 years ago, Committed by jhrozek 10 years ago,
raw patch tree parent
3 files changed. 152 lines added. 3 lines removed.
src/providers/ad/ad_id.c
file modified
+18 -2
src/providers/ad/ad_subdomains.c
file modified
+132 -1
src/providers/ldap/sdap.h
file modified
+2 -0 
    AD: use LDAP for group lookups
    
    The group memberships cannot be reliable retrieved from the Global
    Catalog. By default the memberOf attribute is not replicated to the GC
    at all and the member attribute is copied from the local LDAP instance
    to the GC running on the same host, but is only replicated to other GC
    instances for groups with universal scope. Additionally the tokenGroups
    attribute contains invalid SIDs when used with the GC for users from a
    different domains than the GC belongs to.
    
    As a result the requests which tries to resolve group-memberships of a
    AD user have to go to a LDAP server from the domain of the user.
    
    Fixes https://fedorahosted.org/sssd/ticket/2161 and
    https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
file modified
+18 -2
file modified
+132 -1
file modified
+2 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.