On 6/3/20 8:42 AM, Mary Georgiou via FreeIPA-users wrote:
Hello,
Thanks a lot for the prompt answer.

Could you clarify a bit more this point please:
"but if you are using nested groups then you can not set this:"

Sorry, so nested groups are where groups are members of other groups.  For example:


dn: cn=group1,dc=example,dc=com
member:  uid=mark,ou=people,dc=example,dc=com
member:  uid=david,ou=people,dc=example,dc=com
member:  cn=group2,ou=groups,dc=example,dc=com


dn: cn=group2,ou=groups,dc=example,dc=com
member:  uid=steve,ou=people,dc=example,dc=com
member:  uid=jack,ou=people,dc=example,dc=com


So group2 is a member of group1, which means all of group2 members are technically members of group1.  This is very expensive to process/maintain, and if you aren't using "nested groups" then you can turn it off and get a performance gain.

Hope that clears things up.  Let me know if you have any other questions.

Thanks,
Mark


Do you mean if we have already groups with 'objectClass=nestedgroup'?
We do use nested groups, but it would be ok to disable the option and update 
them ourselves if this would fix the issue.
Best Regards
Mary
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

--

389 Directory Server Development Team
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to