From 251e4914e55c6b66ab6eabd3b3e2e2b7b49029e3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 19 Nov 2017 22:31:44 +0100
Subject: [PATCH 83/83] MAN: Document how the Global Catalog is used currently
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The existing documentation was outdated. Remove it and document what the
current patchset adds.
Related:
https://pagure.io/SSSD/sssd/issue/3468
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit a72919af8347b5bbc65a3b1fb3e5d31447240b24)
---
src/man/sssd-ad.5.xml | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 649042d587de3d3600fff59866681e302c721af8..c4a3fc2b5780eb0f15935a2c38f48418c5f7bb52 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -84,9 +84,16 @@
<programlisting>
ldap_id_mapping = False
</programlisting>
- In order to retrieve users and groups using POSIX attributes from trusted
- domains, the AD administrator must make sure that the POSIX attributes
- are replicated to the Global Catalog.
+ If POSIX attributes should be used, it is recommended for
+ performance reasons that the attributes are also replicated
+ to the Global Catalog. If POSIX attributes are replicated,
+ SSSD will attempt to locate the domain of a requested
+ numerical ID with the help of the Global Catalog and only
+ search that domain. In contrast, if POSIX attributes are not
+ replicated to the Global Catalog, SSSD must search all the
+ domains in the forest sequentially. Please note that that the
+ <quote>cache_first</quote> option might be also helpful in
+ speeding up domainless searches.
</para>
<para>
Users, groups and other entities served by SSSD are always treated as
--
2.14.3