Bug 832104 - [RFE] Add support for suppressing group members
Summary: [RFE] Add support for suppressing group members
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: All
OS: Linux
Target Milestone: rc
: 7.0
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
Depends On:
Blocks: 970519
TreeView+ depends on / blocked
Reported: 2012-06-14 14:10 UTC by Dmitri Pal
Modified: 2020-05-02 16:55 UTC (History)
8 users (show)

Fixed In Version: sssd-1.10.0-1.el7.alpha1
Doc Type: Enhancement
Doc Text:
Feature: A new option, ignore_group_members was added. Reason: In environments with very large groups (consider a group 'students' in university setup) it is too costly to download and store the whole groups. The only data needed is the group name and ID. Result (if any): When the new ignore_group_members option is set, the groups appear effectively empty, speeding up the group download and store time dramatically.
Clone Of:
: 970519 (view as bug list)
Last Closed: 2014-06-13 12:19:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2418 0 None None None 2020-05-02 16:55:05 UTC

Description Dmitri Pal 2012-06-14 14:10:05 UTC
This bug is created as a clone of upstream ticket:

In many cases, actually being able to list the members of a group is unnecessary. For the most part, access-control schemes will rely on whether a user's environment includes them as a member of a group (via initgroups() or getgroups()), and NOT by looking up the group to see if the username happens to be present.

This provides us with an opportunity to increase our performance on such systems. We should add a new per-domain option: {{{ignore_group_members}}}.

This would have the following effects:
1. When populating the results to send back to the client, we would suppress the membership list. In other words, the groups would appear to be empty.
1. When doing LDAP lookups for the groups (for any schema), we would filter out the 'member' and 'memberuid' attributes, so that our direct lookups would skip downloading large memberships or processing nested groups.

One side-effect to this would be significantly-increased performance when running {{{id <username>}}}.

The trickiest piece of this functionality would be ensuring that we don't delete existing member/memberOf linkages from the cache during group lookups that were put there by previous initgroups() requests. Thus, when this option is in play, member/memberOf should only be managed by initgroups() calls.

As one last data point, this is apparently the default behavior for winbind, which explains the visible performance disparity between these two projects when performing {{{id <username>}}}

Comment 1 RHEL Program Management 2012-07-10 06:12:28 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 2 RHEL Program Management 2012-07-11 02:06:35 UTC
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 3 henson 2012-11-15 20:25:34 UTC
The new feature was added to upstream sssd git head today:


It should be fairly trivial to backport to 1.9 (I haven't tested it, but the diff applies as-is to 1.9.2 with only a few offsets).

While for the sssd project this was considered an RFE, for the purposes of RHEL 6 I'd like it considered a bug. This functionality was possible in RHEL 5 with nss_ldap, and lost in RHEL 6 with sssd, which is a regression. I have an open support case 00727783 requesting this feature for RHEL 6.


Comment 8 Jakub Hrozek 2013-03-26 18:03:51 UTC
Fixed upstream.

Comment 13 Jakub Hrozek 2013-10-04 13:24:43 UTC
Temporarily moving bugs to MODIFIED to work around errata tool bug

Comment 15 Nikolai Kondrashov 2013-11-13 16:17:00 UTC
Verified by sssd ldap_provider/ignore_group_members suite.

Comment 16 Ludek Smid 2014-06-13 12:19:08 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.