summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/config/SSSDConfig/__init__.py.in3
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf2
-rw-r--r--src/man/sssd-ldap.5.xml47
-rw-r--r--src/providers/ipa/ipa_opts.h2
-rw-r--r--src/providers/ldap/ldap_opts.h2
-rw-r--r--src/providers/ldap/sdap.h2
-rw-r--r--src/providers/ldap/sdap_async.h5
8 files changed, 65 insertions, 0 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 74bdde1d..d7895b49 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -273,6 +273,9 @@ option_strings = {
'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'),
'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'),
+ 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'),
+ 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'),
+
# [provider/ldap/auth]
'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 6094a47d..24f3c688 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -118,6 +118,8 @@ ldap_idmap_range_size = int, None, false
ldap_idmap_autorid_compat = bool, None, false
ldap_idmap_default_domain = str, None, false
ldap_idmap_default_domain_sid = str, None, false
+ldap_groups_use_matching_rule_in_chain = bool, None, false
+ldap_initgroups_use_matching_rule_in_chain = bool, None, false
[provider/ipa/auth]
krb5_ccachedir = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index a0694c70..cfd47e5e 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -111,6 +111,8 @@ ldap_idmap_range_size = int, None, false
ldap_idmap_autorid_compat = bool, None, false
ldap_idmap_default_domain = str, None, false
ldap_idmap_default_domain_sid = str, None, false
+ldap_groups_use_matching_rule_in_chain = bool, None, false
+ldap_initgroups_use_matching_rule_in_chain = bool, None, false
[provider/ldap/auth]
ldap_pwd_policy = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index de0fb5f6..e04befdb 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -831,6 +831,53 @@
</varlistentry>
<varlistentry>
+ <term>ldap_groups_use_matching_rule_in_chain</term>
+ <listitem>
+ <para>
+ This option tells SSSD to take advantage of an
+ Active Directory-specific feature which may speed
+ up group lookup operations on deployments with
+ complex or deep nested groups.
+ </para>
+ <para>
+ In most common cases, it is best to leave this
+ option disabled. It generally only provides a
+ performance increase on very complex nestings.
+ </para>
+ <para>
+ Note: This feature is currently known to work only
+ with Active Directory 2008 R1 and later. See
+ <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx">
+ MSDN(TM) documentation</ulink> for more details.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>ldap_initgroups_use_matching_rule_in_chain</term>
+ <listitem>
+ <para>
+ This option tells SSSD to take advantage of an
+ Active Directory-specific feature which will speed
+ up initgroups operations (most notably when
+ dealing with complex or deep nested groups).
+ </para>
+ <para>
+ Note: This feature is currently known to work only
+ with Active Directory 2008 R1 and later. See
+ <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx">
+ MSDN(TM) documentation</ulink> for more details.
+ </para>
+ <para>
+ Default: False
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>ldap_netgroup_object_class (string)</term>
<listitem>
<para>
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 770406cf..a0714cb4 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -121,6 +121,8 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 62b03713..1c21bea9 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -102,6 +102,8 @@ struct dp_option default_basic_opts[] = {
{ "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+ { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+ { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
DP_OPTION_TERMINATOR
};
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 90558221..a92305ff 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -217,6 +217,8 @@ enum sdap_basic_opt {
SDAP_IDMAP_AUTORID_COMPAT,
SDAP_IDMAP_DEFAULT_DOMAIN,
SDAP_IDMAP_DEFAULT_DOMAIN_SID,
+ SDAP_AD_MATCHING_RULE_GROUPS,
+ SDAP_AD_MATCHING_RULE_INITGROUPS,
SDAP_OPTS_BASIC /* opts counter */
};
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 34fb40da..7b5dba7b 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -243,4 +243,9 @@ enum_services_send(TALLOC_CTX *memctx,
errno_t
enum_services_recv(struct tevent_req *req);
+/* OID documented in
+ * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx
+ */
+#define SDAP_MATCHING_RULE_IN_CHAIN "1.2.840.113556.1.4.1941"
+
#endif /* _SDAP_ASYNC_H_ */