search

canonical / hotsos

Software analysis toolkit. Define checks in high-level language and leverage library to perform analysis of common Cloud applications.
Apache License 2.0
30 stars 37 forks source link

Issue a warning when "ldap_use_tokengroups" is "true" on sssd-ad deployments #890

Closed mustafakemalgilor closed 1 week ago

mustafakemalgilor commented 1 month ago

The use of token groups is known to be causing issues with group memberships1:

After selecting a custom ldap_search_base, the group membership no longer displays correctly.

If you use a non-standard LDAP search bases, please disable the TokenGroups performance enhancement by setting ldap_use_tokengroups=False. Otherwise, the AD provider would receive the group membership via a special call that is not restricted by the custom search base which causes unpredictable results

Typically, users configure a custom ldap_search_base to limit the groups the user is a member of. Please see [this blog post](https://jhrozek.wordpress.com/2016/12/09/restrict-the-set-of-groups-the-user-is-a-member-of-with-sssd/)formoreinformationonthesubject).

We had several issues where the root cause was attributed to this. It would be nice to raise an issue when "sssd-ad" is present in the environment and the "ldap_use_tokengroups" option is set to "true".

mustafakemalgilor commented 4 weeks ago

This one is blocked on https://github.com/canonical/hotsos/pull/893