#783 Support range retrievals
Closed: Fixed None Opened 8 years ago by sbose.

Similar to paging Active Directory use the range sub-attribute to split large multi-valued attribute lists (http://msdn.microsoft.com/en-us/library/aa367017%28v=vs.85%29.aspx).

Since this affects groups with a large number of members SSSD should support range retrievals.


IMO it is a major feature we should consider for 1.6.

Additionally, I'd like to also point out that there is an open ticket for OpenLDAP to support this (http://www.openldap.org/its/index.cgi?findid=5472). I think this is a better place for it, rather than having every client application reimplement this feature.

There is some resistance from OpenLDAP because this range extension violates RFC 4512, but I'd like to propose that support for it should be added as an option that can be enabled by clients, similar to referral chasing.

As also noted in that ticket, the use of the range sub-attribute can be checked with a supportedControl attribute from the rootDSE, so it wouldn't be too difficult to enable such an option at-will.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.6.0

Fields changed

priority: major => critical

Fields changed

owner: somebody => sgallagh

Moving back to NEEDS_TRIAGE.

There is work underway for a winbind-based ID provider for SSSD. As this feature is for Active Directory only (and is a violation of RFC 4512), I propose that its inclusion in the LDAP provider be scrapped or deferred.

milestone: SSSD 1.6.0 => NEEDS_TRIAGE
patch: => 0
priority: critical => major

This issue will be addressed by #364. It should be closed then. For now it is put into the same bucket.

component: LDAP Provider => Winbind Provider
milestone: NEEDS_TRIAGE => SSSD 1.7.0

Fields changed

milestone: SSSD 1.8.0 => SSSD 1.7.0

Fields changed

owner: sgallagh => pzuna

Pavel, please confirm whether the new winbind provider can retrieve groups from Active Directory containing more than 1500 users completely.

Winbind itself is able to retrieve a group with 2000 users completely with no problems (default on MaxValRange is 1500). Tested that today. However the Winbind provider shows groups with this many users as empty, so there must be some bug. I'm looking for it atm.

Update since my last post:

getent group always displays groups from Active Directory as empty at first. Not just groups with large member attributes. I've checked and members are retrieved correctly by WinBind and are available to the provider code. However they only seem to be displayed by getent after the member users have been retrieved/cached.

Is this normal behaviour? Should I look more into it?

Fields changed

milestone: SSSD 1.7.0 => SSSD 1.8.0

Replying to [comment:12 pzuna]:

Update since my last post:

getent group always displays groups from Active Directory as empty at first. Not just groups with large member attributes. I've checked and members are retrieved correctly by WinBind and are available to the provider code. However they only seem to be displayed by getent after the member users have been retrieved/cached.

Is this normal behaviour? Should I look more into it?

This is not normal behavior. It suggests to me that the cache code in your winbind provider is not correctly utilizing the {{{store_incomplete_groups()}}} routines to save the user list.

Fields changed

milestone: SSSD 1.8.0 => NEEDS_TRIAGE
rhbz: =>

Fields changed

type: defect => enhancement

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8 AD Integration NEEDS TRIAGE

Fields changed

component: Winbind Provider => LDAP Provider
milestone: SSSD 1.8 AD Integration NEEDS TRIAGE => SSSD 1.8.0
owner: pzuna => sgallagh
priority: major => minor

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.8.0 => SSSD 1.9.0 NEEDS_TRIAGE

Fields changed

milestone: SSSD 1.9.0 NEEDS_TRIAGE => SSSD 1.9.0
priority: minor => critical

This is an AD-specific feature.

milestone: SSSD 1.9.0 => SSSD 1.9 AD Integration

Fields changed

feature_milestone: =>
milestone: SSSD AD Trust Feature => SSSD AD Extensions Feature

For posterity, we dropped our plans for a winbind-based provider and are now planning to implement this feature into the SSSD's LDAP provider.

We will detect the presence of the range extension from the rootdse and take appropriate measures to deal with it.

status: new => assigned

Fields changed

patch: 0 => 1

Fixed by:
- ae8d047 (master)

milestone: SSSD AD Extensions Feature => SSSD 1.9.0 beta 1
resolution: => fixed
status: assigned => closed

Metadata Update from @sbose:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.9.0 beta 1

2 years ago

Login to comment on this ticket.

Metadata