Warning
This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.
D-Bus Interface: Users and Groups
Related ticket(s):
Related design page(s):
Problem statement —————-~
This design document describes how users and groups are represented on SSSD D-Bus interface.
Use cases
Listing users and groups in access control GUI
Obtaining extra information about user that is not available through standard APIs
D-Bus Interface
org.freedesktop.sssd.infopipe.Users
Object paths implementing this interface
/org/freedesktop/sssd/infopipe/Users
Methods
o FindByName(s:name)
o FindByID(u:id)
ao ListByName(s:filter, u:limit)
filter: possible asterisk as wildcard character; minimum length is required
limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number
ao ListByDomainAndName(s:domain_name, s:filter, u:limit)
filter: possible asterisk as wildcard character; minimum length is required
limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number
Signals
None.
Properties
None.
org.freedesktop.sssd.infopipe.Users.User
Object paths implementing this interface
/org/freedesktop/sssd/infopipe/Users/$DOMAIN/$UID
Methods
void UpdateGroupsList()
Performs initgroups on the user.
Signals
None.
Properties
s name
The user’s login name.
u uidNumber
The user’s UID.
u gidNumber
The user’s primary GID.
s gecos
The user’s real name.
s homeDirectory
The user’s home directory
s loginShell
The user’s login shell
a{sas} extraAttributes
Extra attributes as configured by the SSSD. The key is the attribute name, value is array of strings that contains the values.
ao groups
An array of object paths representing the groups the user is a member of.
org.freedesktop.sssd.infopipe.Groups
Object paths implementing this interface
/org/freedesktop/sssd/infopipe/Groups
Methods
o FindByName(s:name)
o FindByID(u:id)
ao ListByName(s:filter, u:limit)
filter: possible asterisk as wildcard character; minimum length is required
limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number
ao ListByDomainAndName(s:domain_name, s:filter, u:limit)
filter: possible asterisk as wildcard character; minimum length is required
limit: maximum number of entries returned, 0 means unlimited or to maximum allowed number
Signals
None.
Properties
org.freedesktop.sssd.infopipe.Groups.Group
Object paths implementing this interface
/org/freedesktop/sssd/infopipe/Groups/$DOMAIN/$GID
Methods
None.
Signals
None.
Properties
s name
The group’s name.
u gidNumber
The group’s primary GID.
ao users
A list of the group’s member user objects.
ao groups
A list of the group’s member group objects.
Overview of the solution
New D-Bus interfaces will be implemented in the IFP responder.
Find methods perform online lookup if the entry is missing or expired.
Listing methods always perform online lookup to ensure that even recently added entries are in the list.
Listing methods can return only a limited number of entries. Number of entries returned can be controlled by limit parameter with hard limit set in sssd.conf with a new configuration option filter_limit. This option can be present in [ifp] and [domain] sections to set this limit for data provider filter searches ([domain] section) and also global hard limit for the listing methods itself ([ifp] section). This limit is supposed to improve performance with large databases so we process only a small number of records. If the option is set to 0, the limit is disabled.
Filter may contain only ‘*’ asterisk as a wildcard character, it does not support complete set of regular expressions. The asterisk can be present on the beginning of the filter ‘*filter’, its end ‘filter*’, both sides ‘*filter*’ or even in the middle ‘*fil*ter*’, since it is supported by both LDAP and LDB. However, only prefix-filter (‘filter*’), can take the performance boost from indices so other filter may not perform so good with huge databases.
Configuration changes
The following options will be created in the [ifp] and [domain] sections:
wildcard_search_limit (uint32)
See the wildcard refresh design page for more details.
How To Test
Call the D-Bus methods and properties. For example with dbus-send tool.
Authors
Jakub Hrozek <jhrozek@redhat.com>
Pavel Březina <pbrezina@redhat.com>