#3837 Handle setups that filter only a subset of groups better
Opened 9 months ago by jhrozek. Modified 8 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1628510

Description of problem:
SSSD provides the ability to set a filter as part of the LDAP search bases.
This is often used to speed up logins and user and group lookups in large AD
environments where the Linux clients only care about a subset of groups anyway.

But it is not obvious for many admins that the group filter must also include
the primary group, otherwise the user lookups on the clients will fail
completely, because the client requires that all the groups, including the
primary one are resolvable.

We should make this requirement more visible. Possible options include:
 - fail the user resolution completely if the primary group can't be resolved
and log a very loud debug message. The failure to resolve the user would force
the admin to go look at the logs and find the message with the hint why the
user can't be resolved

 - autogenerate some funky name for the primary group that can't be resolved.
This might work better out of the box, but might break HBAC

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1628510

9 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

8 months ago

Login to comment on this ticket.