There are deployments where it is beneficial to not have all users added automatically to ipausers group. Right now ipa user-add and ipa stageuser-activate always attempt to add a new/activated user to ipausers group.
ipausers
ipa user-add
ipa stageuser-activate
ipausers group was made non-POSIX in ticket #2238. This group is provided as a convenience to apply access control permissions to all users but it has a drawback: when number of users in this group is high enough, sequential addition of new users will cause memberof plugin to have a substantial computational cost. In many cases ipausers group stays unused but the cost is still paid.
The group ipausers would still be available.
Add configuration option to ipa config-mod to specify whether automatic addition to ipausers would be performed. If this option is set, current behavior is applied. If option is not set (new default), automatic addition to ipausers group is not applied.
ipa config-mod
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2025658
Login to comment on this ticket.