#1568 [RFE] AD Provider should use tokenGroups with non-ID-mapping
Closed: Fixed None Opened 6 years ago by sgallagh.

When communicating with AD providers that are using assigned POSIX IDs instead of performing automatic SID mapping, we should maintain the original SID for groups in the cache.

We want to be able to rely on cache lookups for SIDs in order to enable the use of tokenGroups lookups for fast initgroups() requests against AD.

In the first implementation, it's probably safe to assume that the POSIX ID will never change (without a full cache deletion). Thus the SID->POSIX mapping should always be correct.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10 beta
rhbz: => 0
summary: AD Provider should use tokenGroups with non-ID-mapping => [RFE] AD Provider should use tokenGroups with non-ID-mapping

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Want

Fields changed

priority: major => critical

Fields changed

priority: critical => major

Fields changed

priority: major => critical

Fields changed

review: => 1

Fields changed

owner: somebody => okos

Fields changed

status: new => assigned

Just as a reminder, please make sure to document in the manpage that the SID<->POSIX mappings require a full cache deletion if the statically-assigned POSIX ID changes in AD.

Alternately, we may want to open another ticket to extend the sss_cache tool to be able to reset the mapping state (so it's recalculated).

Replying to [comment:9 sgallagh]:

Just as a reminder, please make sure to document in the manpage that the SID<->POSIX mappings require a full cache deletion if the statically-assigned POSIX ID changes in AD.

+1

Alternately, we may want to open another ticket to extend the sss_cache tool to be able to reset the mapping state (so it's recalculated).

Care to open a ticket? This might be a nice to have task for some external contributor..

Since there is no string change moving to 1.10.

Fields changed

milestone: SSSD 1.10 beta => SSSD 1.10.0

Fields changed

changelog: => Performance improvement.
design: => N/A (trivial)

Performance improvement not critical for the 1.10.0 release.

milestone: SSSD 1.10.0 => SSSD 1.10.1

Moving tickets that didn't make 1.10.1 to the 1.10.2 bucket.

Moving tickets that didn't make 1.10.1 to 1.10.2

milestone: SSSD 1.10.1 => SSSD 1.10.2

Fields changed

patch: 0 => 1

The patch is on list but since we've moved all supported releases to 1.11.x, I'd rather not add additional RFE to 1.10 only and add this enhancement to 1.11.2

milestone: SSSD 1.10.2 => SSSD 1.11.2

Fields changed

owner: okos => pbrezina
status: assigned => new

Lowering priority for 1.11.2

priority: critical => minor

Did not make 1.11.2 after all.

milestone: SSSD 1.11.2 => SSSD 1.11.3

resolution: => fixed
status: new => closed

Metadata Update from @sgallagh:
- Issue assigned to pbrezina
- Issue marked as blocked by: #1887
- Issue set to the milestone: SSSD 1.11.3

2 years ago

Login to comment on this ticket.

Metadata