#1078 Make HBAC srchost processing optional
Closed: Fixed None Opened 9 years ago by sgallagh.

Source host processing is very costly (it requires us to retrieve the complete list of hosts from the FreeIPA server) and it's inherently unreliable (due to the fact that there is no PAM standard for what applications will send us in the {{{srchost}}} field).

We should add a new option, {{{ipa_hbac_support_srchost}}} that will default to {{{False}}}. If this option is false, we will perform a much simpler host lookup (just the current host and its parents). This will significantly improve login performance in environments with large numbers of hosts.

When it's false, we should also modify rules we retrieve to treat srchost as {{{category = ALL}}} (thus meaning it will always match).

Fields changed

patch: 0 => 1
status: new => assigned

Fixed in: 6fb75e2

resolution: => fixed
status: assigned => closed

Fields changed

type: defect => enhancement

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2120

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.