Description of problem: LDAP_MATCHING_RULE_IN_CHAIN[1] improves performance of the groups resolution of users. The problem with LDAP_MATCHING_RULE_IN_CHAIN implementation is that it can't be used for domain local group resolution in mutli-domain setup. But the performance is significant in comparision to recusive member resolution. Thus we enable by default group resolution using LDAP_MATCHING_RULE_IN_CHAIN, and as alternative we provide profile which will use recusive member resolution, which can resolve also domain local groups from foreign domains. [1] https://support.microsoft.com/en-us/kb/914828 Version-Release number of selected component (if applicable): 1.2.2 How reproducible: always Steps to Reproduce: 1. Use LDAP_MATCHING_RULE_IN_CHAIN by default. Actual results: Not used by default. Expected results: Used by default. Additional info:
Due to nature of the issue, QE please contact DEV in order to specify passing criteria.
All patches are merged. Requires only building the package.
Included in ovirt-engine-extension-aaa-ldap-1.3.0
Verified with: ovirt-engine-extension-aaa-ldap-1.3.1-0.0.master.20170115190508.gitda48d9d.el7.noarch # grep -irn matching_rule /usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties 23:# This profile is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups of users. 37:# We do prefer this profile because using LDAP_MATCHING_RULE_IN_CHAIN has significant 45:vars.LDAP_MATCHING_RULE_BIT_AND = 1.2.840.113556.1.4.803 46:vars.LDAP_MATCHING_RULE_BIT_OR = 1.2.840.113556.1.4.804 47:vars.LDAP_MATCHING_RULE_IN_CHAIN = 1.2.840.113556.1.4.1941 118:search.ad-resolve-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})(member:${global:vars.LDAP_MATCHING_RULE_IN_CHAIN}:=${seq:_ad_dn_encoded}) 130:search.ad-query-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})${seq:filter}