LDAP_MATCHING_RULE_IN_CHAIN support
[Date Prev][Date Next] [Thread Prev][Thread Next]LDAP_MATCHING_RULE_IN_CHAIN support
- From: johan <johan [at] nosd.in>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: LDAP_MATCHING_RULE_IN_CHAIN support
- Date: Sat, 28 Jan 2023 14:10:59 +0100
Hello,
First, thank you for nslcd!
We use it on some hosts, with an active directory back-end.
We use supergroups, and I find nslcd could be improved by using LDAP_MATCHING_RULE_IN_CHAIN extended operation, which is provided by active directory.
Maybe a new option value "ad" for "nss_nested_groups" could be added for enabling this recursive operation.
With this option, group_by_member filtre would be built this way :
(&(&(objectClass=group)(gidNumber=*))(|(?memberUid=myuser)(member:1.2.840.113556.1.4.1941:=cn=My User,ou=Users,dc=example,dc=intra)))
You will find attached a patch implementing these mods.
Here are the results I got on a user member of ~100 groups and supergroups:
# systemctl stop nscd
# grep -E '^nss_nested_groups' /etc/nslcd.conf
nss_nested_groups yes
# time groups myuser
myuser : Domain Users [snip]
real 0m14,810s
user 0m0,033s
sys 0m0,021s
# sed -i -E 's/^nss_nested_groups\tyes/nss_nested_groups\tad/' /etc/nslcd.conf && systemctl restart nslcd && time groups myuser
myuser : Domain Users [snip]
real 0m1,336s
user 0m0,010s
sys 0m0,036s
Do you think this could be added to nslcd?
-- Envoyé depuis /e/ Mail.
Attachment:
nslcd_ad_recursive.patch
Description: Binary data
- LDAP_MATCHING_RULE_IN_CHAIN support, johan
- Next by Date: Re: LDAP_MATCHING_RULE_IN_CHAIN support
- Next by thread: Re: LDAP_MATCHING_RULE_IN_CHAIN support