Learn more about these different git repos.
Other Git URLs
Similar to paging Active Directory use the range sub-attribute to split large multi-valued attribute lists (http://msdn.microsoft.com/en-us/library/aa367017%28v=vs.85%29.aspx).
Since this affects groups with a large number of members SSSD should support range retrievals.
IMO it is a major feature we should consider for 1.6.
Additionally, I'd like to also point out that there is an open ticket for OpenLDAP to support this (http://www.openldap.org/its/index.cgi?findid=5472). I think this is a better place for it, rather than having every client application reimplement this feature.
There is some resistance from OpenLDAP because this range extension violates RFC 4512, but I'd like to propose that support for it should be added as an option that can be enabled by clients, similar to referral chasing.
As also noted in that ticket, the use of the range sub-attribute can be checked with a supportedControl attribute from the rootDSE, so it wouldn't be too difficult to enable such an option at-will.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.6.0
priority: major => critical
owner: somebody => sgallagh
Moving back to NEEDS_TRIAGE.
There is work underway for a winbind-based ID provider for SSSD. As this feature is for Active Directory only (and is a violation of RFC 4512), I propose that its inclusion in the LDAP provider be scrapped or deferred.
milestone: SSSD 1.6.0 => NEEDS_TRIAGE patch: => 0 priority: critical => major
This issue will be addressed by #364. It should be closed then. For now it is put into the same bucket.
component: LDAP Provider => Winbind Provider milestone: NEEDS_TRIAGE => SSSD 1.7.0
milestone: SSSD 1.8.0 => SSSD 1.7.0
owner: sgallagh => pzuna
Pavel, please confirm whether the new winbind provider can retrieve groups from Active Directory containing more than 1500 users completely.
Winbind itself is able to retrieve a group with 2000 users completely with no problems (default on MaxValRange is 1500). Tested that today. However the Winbind provider shows groups with this many users as empty, so there must be some bug. I'm looking for it atm.
Update since my last post:
getent group always displays groups from Active Directory as empty at first. Not just groups with large member attributes. I've checked and members are retrieved correctly by WinBind and are available to the provider code. However they only seem to be displayed by getent after the member users have been retrieved/cached.
Is this normal behaviour? Should I look more into it?
milestone: SSSD 1.7.0 => SSSD 1.8.0
Replying to [comment:12 pzuna]:
Update since my last post: getent group always displays groups from Active Directory as empty at first. Not just groups with large member attributes. I've checked and members are retrieved correctly by WinBind and are available to the provider code. However they only seem to be displayed by getent after the member users have been retrieved/cached. Is this normal behaviour? Should I look more into it?
This is not normal behavior. It suggests to me that the cache code in your winbind provider is not correctly utilizing the {{{store_incomplete_groups()}}} routines to save the user list.
milestone: SSSD 1.8.0 => NEEDS_TRIAGE rhbz: =>
type: defect => enhancement
milestone: NEEDS_TRIAGE => SSSD 1.8 AD Integration NEEDS TRIAGE
component: Winbind Provider => LDAP Provider milestone: SSSD 1.8 AD Integration NEEDS TRIAGE => SSSD 1.8.0 owner: pzuna => sgallagh priority: major => minor
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=768165 768165]
blockedby: => blocking: => milestone: SSSD 1.8.0 => SSSD 1.9.0 NEEDS_TRIAGE
milestone: SSSD 1.9.0 NEEDS_TRIAGE => SSSD 1.9.0 priority: minor => critical
This is an AD-specific feature.
milestone: SSSD 1.9.0 => SSSD 1.9 AD Integration
feature_milestone: => milestone: SSSD AD Trust Feature => SSSD AD Extensions Feature
For posterity, we dropped our plans for a winbind-based provider and are now planning to implement this feature into the SSSD's LDAP provider.
We will detect the presence of the range extension from the rootdse and take appropriate measures to deal with it.
status: new => assigned
patch: 0 => 1
Fixed by: - ae8d047 (master)
milestone: SSSD AD Extensions Feature => SSSD 1.9.0 beta 1 resolution: => fixed status: assigned => closed
Metadata Update from @sbose: - Issue assigned to sgallagh - Issue set to the milestone: SSSD 1.9.0 beta 1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1825
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.