Michael Ströder wrote:
Arthur de Jong wrote:
Since you cannot do joins in LDAP, every group with member attributes such as cn=Joe,ou=People,dc=... will require another lookup per member to find the username (uid attribute).
This very much depends on the implementation of the NSS provider. AFAIK sssd simply searches all posixAccount and posixGroup entries and resolves group membership internally from the local sssd cache database. If a NSS provider does not support something similar it should be expanded to do so or one should not use it at all.
Furthermore there's slapo-deref which seems to work. The client control can be used to retrieve all the 'uid' values in member entries. The NSS provider has to extract the 'uid' values from the response control value.
See https://tools.ietf.org/html/draft-masarati-ldap-deref
Ciao, Michael.