diff options
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 3 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 2 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ldap.conf | 2 | ||||
-rw-r--r-- | src/man/sssd-ldap.5.xml | 47 | ||||
-rw-r--r-- | src/providers/ipa/ipa_opts.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/ldap_opts.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 2 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async.h | 5 |
8 files changed, 65 insertions, 0 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 74bdde1d..d7895b49 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -273,6 +273,9 @@ option_strings = { 'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'), 'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'), + 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'), + 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'), + # [provider/ldap/auth] 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 6094a47d..24f3c688 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -118,6 +118,8 @@ ldap_idmap_range_size = int, None, false ldap_idmap_autorid_compat = bool, None, false ldap_idmap_default_domain = str, None, false ldap_idmap_default_domain_sid = str, None, false +ldap_groups_use_matching_rule_in_chain = bool, None, false +ldap_initgroups_use_matching_rule_in_chain = bool, None, false [provider/ipa/auth] krb5_ccachedir = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index a0694c70..cfd47e5e 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -111,6 +111,8 @@ ldap_idmap_range_size = int, None, false ldap_idmap_autorid_compat = bool, None, false ldap_idmap_default_domain = str, None, false ldap_idmap_default_domain_sid = str, None, false +ldap_groups_use_matching_rule_in_chain = bool, None, false +ldap_initgroups_use_matching_rule_in_chain = bool, None, false [provider/ldap/auth] ldap_pwd_policy = str, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index de0fb5f6..e04befdb 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -831,6 +831,53 @@ </varlistentry> <varlistentry> + <term>ldap_groups_use_matching_rule_in_chain</term> + <listitem> + <para> + This option tells SSSD to take advantage of an + Active Directory-specific feature which may speed + up group lookup operations on deployments with + complex or deep nested groups. + </para> + <para> + In most common cases, it is best to leave this + option disabled. It generally only provides a + performance increase on very complex nestings. + </para> + <para> + Note: This feature is currently known to work only + with Active Directory 2008 R1 and later. See + <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx"> + MSDN(TM) documentation</ulink> for more details. + </para> + <para> + Default: False + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_initgroups_use_matching_rule_in_chain</term> + <listitem> + <para> + This option tells SSSD to take advantage of an + Active Directory-specific feature which will speed + up initgroups operations (most notably when + dealing with complex or deep nested groups). + </para> + <para> + Note: This feature is currently known to work only + with Active Directory 2008 R1 and later. See + <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx"> + MSDN(TM) documentation</ulink> for more details. + </para> + <para> + Default: False + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>ldap_netgroup_object_class (string)</term> <listitem> <para> diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index 770406cf..a0714cb4 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -121,6 +121,8 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index 62b03713..1c21bea9 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -102,6 +102,8 @@ struct dp_option default_basic_opts[] = { { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, DP_OPTION_TERMINATOR }; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 90558221..a92305ff 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -217,6 +217,8 @@ enum sdap_basic_opt { SDAP_IDMAP_AUTORID_COMPAT, SDAP_IDMAP_DEFAULT_DOMAIN, SDAP_IDMAP_DEFAULT_DOMAIN_SID, + SDAP_AD_MATCHING_RULE_GROUPS, + SDAP_AD_MATCHING_RULE_INITGROUPS, SDAP_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 34fb40da..7b5dba7b 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -243,4 +243,9 @@ enum_services_send(TALLOC_CTX *memctx, errno_t enum_services_recv(struct tevent_req *req); +/* OID documented in + * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx + */ +#define SDAP_MATCHING_RULE_IN_CHAIN "1.2.840.113556.1.4.1941" + #endif /* _SDAP_ASYNC_H_ */ |