|
 |
905b4d |
From 1ded5712eb3ed631e9787beffdf9cda4d44ae6b5 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
|
905b4d |
Date: Fri, 7 Nov 2014 13:58:17 +0100
|
|
|
905b4d |
Subject: [PATCH 80/80] LDAP: Disable token groups by default
|
|
|
905b4d |
MIME-Version: 1.0
|
|
|
905b4d |
Content-Type: text/plain; charset=UTF-8
|
|
|
905b4d |
Content-Transfer-Encoding: 8bit
|
|
|
905b4d |
|
|
|
905b4d |
We tried to speed up processing of initgroup lookups with tokenGroups even for
|
|
|
905b4d |
the LDAP provider (if remote server is Active Directory), but it turns out that
|
|
|
905b4d |
there are too many corner cases that we didn't catch during development that
|
|
|
905b4d |
break. For instance, groups from other trusted domains might appear in TG and
|
|
|
905b4d |
the LDAP provider isn't equipped to handle them.
|
|
|
905b4d |
|
|
|
905b4d |
Overall, users who wish to use the added speed benefits of tokenGroups are
|
|
|
905b4d |
advised to use the AD provider.
|
|
|
905b4d |
|
|
|
905b4d |
Resolves:
|
|
|
905b4d |
https://fedorahosted.org/sssd/ticket/2483
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/man/sssd-ldap.5.xml | 2 +-
|
|
|
905b4d |
src/providers/ldap/ldap_opts.h | 2 +-
|
|
|
905b4d |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
|
|
|
905b4d |
index 2dcf7e3f8ab5c307e0262efdebfc148c30ea3679..d7a2a4ac9fa2497a4c347a2a7e77703e53b8a46c 100644
|
|
|
905b4d |
--- a/src/man/sssd-ldap.5.xml
|
|
|
905b4d |
+++ b/src/man/sssd-ldap.5.xml
|
|
|
905b4d |
@@ -1022,7 +1022,7 @@
|
|
|
905b4d |
Active Directory Server 2008 and later.
|
|
|
905b4d |
</para>
|
|
|
905b4d |
<para>
|
|
|
905b4d |
- Default: True
|
|
|
905b4d |
+ Default: True for AD and IPA otherwise False.
|
|
|
905b4d |
</para>
|
|
|
905b4d |
</listitem>
|
|
|
905b4d |
</varlistentry>
|
|
|
905b4d |
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
|
|
|
905b4d |
index dedbdac0bcf647337d4c00b1fbb82d6b46be5b54..f46381e9fac7b93730ce0767154989f2e3b7ebbf 100644
|
|
|
905b4d |
--- a/src/providers/ldap/ldap_opts.h
|
|
|
905b4d |
+++ b/src/providers/ldap/ldap_opts.h
|
|
|
905b4d |
@@ -116,7 +116,7 @@ struct dp_option default_basic_opts[] = {
|
|
|
905b4d |
{ "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
905b4d |
{ "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
905b4d |
{ "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
905b4d |
- { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
|
|
|
905b4d |
+ { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE},
|
|
|
905b4d |
{ "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
905b4d |
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
905b4d |
{ "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|