On 10/01/2013 09:54 PM, Jakub Hrozek wrote:
On Tue, Sep 24, 2013 at 03:17:47PM +0200, Pavel Březina wrote:
On 09/24/2013 01:32 PM, Jakub Hrozek wrote:
On Wed, Sep 11, 2013 at 02:40:14PM +0200, Pavel Březina wrote:
https://fedorahosted.org/sssd/ticket/2064
These patch set depends on: [PATCH] ad: store group in correct
tree on initgroups via tokenGroups
You can also pull it with all dependencies from my repository:
fedorapeople.org:public_git/sssd.git #ad-groups
The fundamental changes in this patch set are: - lookup groups
in global catalog - pick up member domain from its originalDN
From 0273d17f24eac7b60dfc0515a9e3b97ad16d1199 Mon Sep 17
00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?=
<pbrez...@redhat.com> Date: Mon, 9 Sep 2013 15:52:03 +0200
Subject: [PATCH 1/9] ad: shortcut if possible during get object
by ID or SID
When getByID or getBySID comes from responder, the request
doesn't necessarily have to contain correct domain, since
responder iterates over all domains until it finds a match.
Every domain has its own ID range, so we can simply shortcut
if domain does not match and avoid LDAP round trip. Responder
will continue with next domain until it finds the correct one.
This patch seems OK to me, but I'd like a second look from
someone who understands the ranges better (which is probably
Sumit)
From f74d4637980438032649dfbf079fa6c839862586 Mon Sep 17
00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?=
<pbrez...@redhat.com> Date: Tue, 10 Sep 2013 10:40:06 +0200
Subject: [PATCH 2/9] ad: simplify get_conn_list()
It was originally design to return list of connection objects,
it really always work with only one connection.
I'd like to review this patch and the following along with my
patches to look up POSIX IDs in GC, they touch the same code.
From ad5dc9e7557ef605fc5d7fc759e5cb6c2f9a148c Mon Sep 17
00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?=
<pbrez...@redhat.com> Date: Tue, 10 Sep 2013 14:45:50 +0200
Subject: [PATCH 4/9] sdap_domain_add(): fix possible memory
leak
ACK.
From 9f2c212e01700289d70002c8c39b732ca6c11cee Mon Sep 17
00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?=
<pbrez...@redhat.com> Date: Tue, 10 Sep 2013 14:45:52 +0200
Subject: [PATCH 5/9] sdap: store base dn in sdap_domain
Groups may contain members from different domains. Remembering
base dn in domain object gives us the ability to simply lookup
correct domain by comparing object dn with domain base dn.
Resolves: https://fedorahosted.org/sssd/ticket/2064
I haven't tested these patches yet.
I'm sending rebased version of my patches.
[PATCH 4/9] sdap_domain_add(): fix possible memory leak was removed
from the patch set since recent Sumit's patch removed the code I
fixed :-)
Hi,
can you check if patches #6 and #7 still apply after the recent
changes in 1.11 ? We actually do use the LDAP fallback now..
They won't apply, but I think it is quite all right to just skip them.
The purpose of these patches was to always contact GC for get_group and
initgroups.
We always contact GC first at the moment and having LDAP as fallback is
fine for groups. If there will be a member from different domain, we
will just fail - but if there won't be foreign member it will work.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
