#9064 Allow deployment without users be added to ipausers group
Opened 2 years ago by abbra. Modified 2 years ago

There are deployments where it is beneficial to not have all users added automatically to ipausers group. Right now ipa user-add and ipa stageuser-activate always attempt to add a new/activated user to ipausers group.

ipausers group was made non-POSIX in ticket #2238. This group is provided as a convenience to apply access control permissions to all users but it has a drawback: when number of users in this group is high enough, sequential addition of new users will cause memberof plugin to have a substantial computational cost. In many cases ipausers group stays unused but the cost is still paid.

The group ipausers would still be available.

Add configuration option to ipa config-mod to specify whether automatic addition to ipausers would be performed. If this option is set, current behavior is applied. If option is not set (new default), automatic addition to ipausers group is not applied.


Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2025658

2 years ago

Login to comment on this ticket.

Metadata