#2616 [RFE] Allow filtering out groups that client does not care about
Closed: wontfix 4 years ago by pbrezina. Opened 8 years ago by dpal.

There are usually many groups in the central server (Ad/IdM) and not all of the are applicable to the client and its needs. This RFE requests an ability to fetch only those groups that are relevant to the client system and filter out the rest.

The setting can be a regex, or white list or black list. Other useful ideas welcome.


Please note that features like HBAC and sudo depend on group-memberships. Filtering groups might have unexpected side-effects on those features.

Please also note that for LDAP-based providers, it's possible to filter groups by adding a filter to the ldap_search_base option.

we'll reconsider during the next upstream cycle, 1.13 is too big already.

milestone: NEEDS_TRIAGE => SSSD 1.14 beta

Fields changed

rhbz: => todo

I've seen this requested multiple times, so it might make sense for 1.14 backlog as an extension of the performance work in 1.14

milestone: SSSD 1.14 beta => SSSD 1.14 backlog
sensitive: => 0

Moving to NEEDS_TRIAGE mostly so that the ticket is discussed with the other developers to see if we should try to include the filtering in the 1.14 milestone.

milestone: SSSD 1.14 backlog => NEEDS_TRIAGE

As discussed on the phone with Sumit, there is no way to implement this meaningfully, especially for configurations that use e.g. PAC or tokengroups, because we would need to resolve the SIDs anyway.

Therefore I'm deferring this ticket. We can write a blog post explaining why it's not possible.

Most users want this feature for performance reasons, so it makes sense to improve the cache performance overall, not add workarounds.

milestone: NEEDS_TRIAGE => SSSD Deferred

Yes, please write a blog post and link it to the ticket. That would really help with explanation when people ask.

Metadata Update from @dpal:
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3657

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata