RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 832104 - [RFE] Add support for suppressing group members
Summary: [RFE] Add support for suppressing group members
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 7.0
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 970519
TreeView+ depends on / blocked
 
Reported: 2012-06-14 14:10 UTC by Dmitri Pal
Modified: 2020-05-02 16:55 UTC (History)
8 users (show)

Fixed In Version: sssd-1.10.0-1.el7.alpha1
Doc Type: Enhancement
Doc Text:
Feature: A new option, ignore_group_members was added. Reason: In environments with very large groups (consider a group 'students' in university setup) it is too costly to download and store the whole groups. The only data needed is the group name and ID. Result (if any): When the new ignore_group_members option is set, the groups appear effectively empty, speeding up the group download and store time dramatically.
Clone Of:
: 970519 (view as bug list)
Environment:
Last Closed: 2014-06-13 12:19:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2418 0 None None None 2020-05-02 16:55:05 UTC

Description Dmitri Pal 2012-06-14 14:10:05 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1376

In many cases, actually being able to list the members of a group is unnecessary. For the most part, access-control schemes will rely on whether a user's environment includes them as a member of a group (via initgroups() or getgroups()), and NOT by looking up the group to see if the username happens to be present.

This provides us with an opportunity to increase our performance on such systems. We should add a new per-domain option: {{{ignore_group_members}}}.

This would have the following effects:
1. When populating the results to send back to the client, we would suppress the membership list. In other words, the groups would appear to be empty.
1. When doing LDAP lookups for the groups (for any schema), we would filter out the 'member' and 'memberuid' attributes, so that our direct lookups would skip downloading large memberships or processing nested groups.

One side-effect to this would be significantly-increased performance when running {{{id <username>}}}.

The trickiest piece of this functionality would be ensuring that we don't delete existing member/memberOf linkages from the cache during group lookups that were put there by previous initgroups() requests. Thus, when this option is in play, member/memberOf should only be managed by initgroups() calls.

As one last data point, this is apparently the default behavior for winbind, which explains the visible performance disparity between these two projects when performing {{{id <username>}}}
Comment 1 RHEL Program Management 2012-07-10 06:12:28 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-11 02:06:35 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 3 henson 2012-11-15 20:25:34 UTC 
The new feature was added to upstream sssd git head today:

http://git.fedorahosted.org/cgit/sssd.git/commit/?id=59f136cd254d1acf2991c97221eb08803784777d

It should be fairly trivial to backport to 1.9 (I haven't tested it, but the diff applies as-is to 1.9.2 with only a few offsets).

While for the sssd project this was considered an RFE, for the purposes of RHEL 6 I'd like it considered a bug. This functionality was possible in RHEL 5 with nss_ldap, and lost in RHEL 6 with sssd, which is a regression. I have an open support case 00727783 requesting this feature for RHEL 6.

Thanks...
Comment 8 Jakub Hrozek 2013-03-26 18:03:51 UTC 
Fixed upstream.
Comment 13 Jakub Hrozek 2013-10-04 13:24:43 UTC 
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 15 Nikolai Kondrashov 2013-11-13 16:17:00 UTC 
Verified by sssd ldap_provider/ignore_group_members suite.
Comment 16 Ludek Smid 2014-06-13 12:19:08 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.