The UI creates tabs for indirect members based on the relationship info in the metadata. Currently there seems to be no way to populate the tabs with the correct entries because there is no command that will return the indirect members only.
The "group-show --all" returns the members, member of, indirect member of, but not indirect members. The "user-find --in-groups" returns both direct and indirect members.
Also, since the list of indirect members probably will not come from a single LDAP entry, there's potentially a problem getting the complete list of primary keys (due to some LDAP server search limits), so it might not be possible to provide client-side pagination which is based on primary keys.
This is needed for paging.
This is a regression from JR's performance improvement patch. We used to search the entire tree for memberOf=group_dn (3 times actually). Now since we know the members already we use that as a search base for finding indirect members, which we do find, but we just aren't adding them to the results.
I have yet to see what impact this will have on nesting, whether we see all those members or not, but I can see 1-level deep indirect users where user1 is a member of group2 and group2 is a member of group1. I can see where user1 is popping up internally, we just aren't capturing it.
attachment freeipa-rcrit-798-indirect.patch
master: c5d8618
ipa-2-0: 63ad914
Metadata Update from @edewata: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.1 - 2011/06
Login to comment on this ticket.