Michael Ströder wrote:
Arthur de Jong wrote:
> Since you cannot do joins in LDAP, every group with member attributes
> such as cn=Joe,ou=People,dc=... will require another lookup per member
> to find the username (uid attribute).
This very much depends on the implementation of the NSS provider. AFAIK sssd
simply searches all posixAccount and posixGroup entries and resolves group
membership internally from the local sssd cache database. If a NSS provider
does not support something similar it should be expanded to do so or one
should not use it at all.
Furthermore there's slapo-deref which seems to work. The client control can be
used to retrieve all the 'uid' values in member entries. The NSS provider has
to extract the 'uid' values from the response control value.
See
https://tools.ietf.org/html/draft-masarati-ldap-deref
Ciao, Michael.