Enable Active Directory primary groups#59
Open
mtkraai wants to merge 1 commit intotheforeman:masterfrom
Open
Conversation
Include primary group relationships when searching groups by users, or users by group. Active Directory does not include this relationship in the member and memberOf collections in LDAP queries.
Member
|
@ezr-ondrej any chance you could take a look and test? |
ezr-ondrej
reviewed
Apr 22, 2019
Member
ezr-ondrej
left a comment
ezr-ondrej
left a comment
There was a problem hiding this comment.
Sorry for the delay! Me 👎 😞
I have tested it and I have few comments, probably based just on my poor AD knowledge. 🙂
- Is there a performance impact anticipated? The primary-group-token is a computed attribute and the primary group walk is going to happen always. Won't that be a problem in larger instances?
- Would you mind to explain the business case backing it? Because as I understand it, changing of primary group is not recommended. So in all ADs I have seen it would only result in adding the "Domain Users" and "Users" for
group_listin most cases. And obviously list of all users byuser_liston "Domain Users" is that really helpful or is there some better use case? - (nit) The
user_listfor "Domain Users" returns[]as it does not respond any method, so_groups_from_ldap_datawill not be even hitted and we introduce a bit of an inconsistency asgroup_list('user')gives [..."Domain Users"...], butuser_list('Domain Users')is not returning the user.
Otherwise it works smooth and apart those three points I generally like it. If you would please explain the business use case, I will be happy to approve 👍
dLobatog
reviewed
May 27, 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Include primary group relationships when searching groups by users, or users by group. Active Directory does not include this relationship in the member and memberOf collections in LDAP queries.