Warning

This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.

D-Bus Interface: Users and Groups

Related ticket(s):

Related design page(s):

Problem statement —————-~

This design document describes how users and groups are represented on SSSD D-Bus interface.

  • Listing users and groups in access control GUI

  • Obtaining extra information about user that is not available through standard APIs

  • /org/freedesktop/sssd/infopipe/Users

  • o FindByName(s:name)

  • o FindByID(u:id)

  • ao ListByName(s:filter, u:limit)

    • filter: possible asterisk as wildcard character; minimum length is required

    • limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number

  • ao ListByDomainAndName(s:domain_name, s:filter, u:limit)

    • filter: possible asterisk as wildcard character; minimum length is required

    • limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number

None.

None.

  • /org/freedesktop/sssd/infopipe/Users/$DOMAIN/$UID

  • void UpdateGroupsList()

    • Performs initgroups on the user.

None.

  • s name

    • The user’s login name.

  • u uidNumber

    • The user’s UID.

  • u gidNumber

    • The user’s primary GID.

  • s gecos

    • The user’s real name.

  • s homeDirectory

    • The user’s home directory

  • s loginShell

    • The user’s login shell

  • a{sas} extraAttributes

    • Extra attributes as configured by the SSSD. The key is the attribute name, value is array of strings that contains the values.

  • ao groups

    • An array of object paths representing the groups the user is a member of.

  • /org/freedesktop/sssd/infopipe/Groups

  • o FindByName(s:name)

  • o FindByID(u:id)

  • ao ListByName(s:filter, u:limit)

    • filter: possible asterisk as wildcard character; minimum length is required

    • limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number

  • ao ListByDomainAndName(s:domain_name, s:filter, u:limit)

    • filter: possible asterisk as wildcard character; minimum length is required

    • limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number

None.

  • /org/freedesktop/sssd/infopipe/Groups/$DOMAIN/$GID

None.

None.

  • s name

    • The group’s name.

  • u gidNumber

    • The group’s primary GID.

  • ao users

    • A list of the group’s member user objects.

  • ao groups

    • A list of the group’s member group objects.

New D-Bus interfaces will be implemented in the IFP responder.

Find methods perform online lookup if the entry is missing or expired.

Listing methods always perform online lookup to ensure that even recently added entries are in the list.

Listing methods can return only a limited number of entries. Number of entries returned can be controlled by limit parameter with hard limit set in sssd.conf with a new configuration option filter_limit. This option can be present in [ifp] and [domain] sections to set this limit for data provider filter searches ([domain] section) and also global hard limit for the listing methods itself ([ifp] section). This limit is supposed to improve performance with large databases so we process only a small number of records. If the option is set to 0, the limit is disabled.

Filter may contain only ‘*’ asterisk as a wildcard character, it does not support complete set of regular expressions. The asterisk can be present on the beginning of the filter ‘*filter’, its end ‘filter*’, both sides ‘*filter*’ or even in the middle ‘*fil*ter*’, since it is supported by both LDAP and LDB. However, only prefix-filter (‘filter*’), can take the performance boost from indices so other filter may not perform so good with huge databases.

The following options will be created in the [ifp] and [domain] sections:

  • wildcard_search_limit (uint32)

See the wildcard refresh design page for more details.

Call the D-Bus methods and properties. For example with dbus-send tool.