lists.arthurdejong.org
RSS feed

LDAP_MATCHING_RULE_IN_CHAIN support

[Date Prev][Date Next] [Thread Prev][Thread Next]

LDAP_MATCHING_RULE_IN_CHAIN support



Hello,
First, thank you for nslcd!
We use it on some hosts, with an active directory back-end.
We use supergroups, and I find nslcd could be improved by using LDAP_MATCHING_RULE_IN_CHAIN extended operation, which is provided by active directory.
Maybe a new option value "ad" for "nss_nested_groups" could be added for enabling this recursive operation.
With this option, group_by_member filtre would be built this way :
(&(&(objectClass=group)(gidNumber=*))(|(?memberUid=myuser)(member:1.2.840.113556.1.4.1941:=cn=My User,ou=Users,dc=example,dc=intra)))

You will find attached a patch implementing these mods.

Here are the results I got on a user member of ~100 groups and supergroups:
# systemctl stop nscd

# grep -E '^nss_nested_groups' /etc/nslcd.conf
nss_nested_groups yes

# time groups myuser
myuser : Domain Users [snip]
real 0m14,810s
user 0m0,033s
sys 0m0,021s

# sed -i -E 's/^nss_nested_groups\tyes/nss_nested_groups\tad/' /etc/nslcd.conf && systemctl restart nslcd && time groups myuser
myuser : Domain Users [snip]
real 0m1,336s
user 0m0,010s
sys 0m0,036s


Do you think this could be added to nslcd?


-- Envoyé depuis /e/ Mail.

Attachment: nslcd_ad_recursive.patch
Description: Binary data