-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/23/2011 04:39 AM, Jakub Hrozek wrote: > On 03/22/2011 10:47 PM, Stephen Gallagher wrote: >> On 03/22/2011 03:15 PM, Stephen Gallagher wrote: >>> On 03/22/2011 03:04 PM, Stephen Gallagher wrote: >>>> On 03/22/2011 02:35 PM, Jakub Hrozek wrote: >>>>> On 03/22/2011 06:36 PM, Jakub Hrozek wrote: >>>>>> Fixes: >>>>>> https://fedorahosted.org/sssd/ticket/822 > >>>>>> [PATCH 1/2] Add originalDN to fake groups >>>>>> Since we are storing expired groups during initgroups now and some of >>>>>> the group processing routines depend on originalDN, I think the >>>>>> originalDN should be stored with the fake groups. > >>>>>> This would help for instance sdap_nested_group_process_step() which >>>>>> would find the expired group in sysdb and refresh it immediately instead >>>>>> of trying blind lookup for users and then groups. > >>>>>> [PATCH 2/2] Use fake groups during IPA schema initgroups >>>>>> Do not just store non-expired groups from LDAP during initgroups and >>>>>> risks that some of the members might not be there. Instead, add fake >>>>>> groups for those that are not yet cached and build correct >>>>>> member/memberof relationship. > >>>>>> There's one more optimization I'd like to make, although I'm not sure if >>>>>> it is 1.5 material. Since we do not fetch the memberof attribute for >>>>>> LDAP groups, we must look at all groups when searching for direct >>>>>> parents for a group (see sdap_initgr_nested_get_direct_parents()). > >>>>>> Having the memberof attribute would allow for an optimization where we >>>>>> would first filter all parents and then just the direct ones. That would >>>>>> be very similar to what we can do for the user since we search the >>>>>> groups based on users' memberof anyway. > >>>>>> Jakub > >>>>> Attached patches are rebased on top of Stephen's multiname patches. > > >>>> Nack. The rebase needs to add support for sysdb_attrs_primary_name() in >>>> sdap_initgr_nested_store_group() (instead of >>>> sysdb_attrs_get_string(SYSDB_NAME)) > >>>> Otherwise, this would be regressing functionality from my multiname >>>> patches. > > >>> Attaching a simple patch to address this. Assuming this is approved, >>> I'll squash it in and push. > > > > >> Jakub discovered another problem that's related to both this patch and >> my multi-name patches. It would be too much trouble to stick this back >> in the middle of the pile, so I've added it as patch 0004 of the set. >> Testing should be done only with ALL patches in place. > >> I've reattached all four patches (Jakub's original two, my original fix >> for his second patch which should be squashed in, and my new patch for >> multi-named groups in the comparison lists) > > > > Ack to both new patches.
Pushed all four to master and sssd-1-5. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2JtnAACgkQeiVVYja6o6N2jgCfVUtaWk5W+StDQnkFUDr6eLzP PuAAoIOZH+g5C0UchnPK+ypOkZN6NOd3 =rKmr -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel