This ticket is based on an IRC discussion I had with @sbose, so the actual idea about what needs to be done is his.
When an IPA client looks up a user from an IPA server, the user with all their groups is looked up. The client would first do a REQ_FULL_WITH_MEMBERS s2n request for the user which returns the user entry and all their groups. Then, the client issues a REQ_FULL_WITH_MEMBERS s2n request for each group.
Because of historical reasons, where the s2n operations were only used to resolve a SID where it was not known if the SID belongs to a user or a group, the s2n request triggers a lookup on the server for a user first and only if a user is not found, a request for a group is tried.
This is not optimal especially in case there are many trusted domains, because every request must first iterate over the domain list looking for a user and then it would iterate over the domain list again looking for a group.
To improve the situation, Sumit suggested that the request is extended with an object type on the IPA side and the extdom plugin is also extended with to use this data to trigger the appropriate lookup on the IPA server.
Metadata Update from @jhrozek: - Issue assigned to jhrozek
Metadata Update from @jhrozek: - Assignee reset
Metadata Update from @jhrozek: - Issue tagged with: RFE, performance
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1555924
Issue linked to Bugzilla: Bug 1555924
Metadata Update from @jhrozek: - Issue priority set to: major (was: minor) - Issue set to the milestone: SSSD 2.0
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1555924, https://bugzilla.redhat.com/show_bug.cgi?id=1581041 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1555924)
Issue linked to Bugzilla: Bug 1581041
Login to comment on this ticket.
https://bugzilla.redhat.com/show_bug.cgi?id=1555924, https://bugzilla.redhat.com/show_bug.cgi?id=1581041
