On Tue, 2016-08-23 at 17:24 +0300, Nikolai Kondrashov wrote: > Hi everyone, > > Attached is the third version of work-in-progress SSSD/tlog > integration > patches. I'm sending them in the hope that somebody takes a look and > perhaps > points out some wrong bits I can fix before I'm too dependent on them. > > The changes from the last version is some refactoring of the NSS and > the > common parts, plus start of the PAM part of the implementation. > > Also, at this point, I think I could contribute some general fixes and > prerequisite refactoring patches separately.
So I have been going through the patchset and I have concerns about how you are determining if the shell needs to be substituted with the session recording shell. It seem you do this work every single time a getpwname/uis/etc request is run. this is very expensive as you do a full group search on each of those requests, to find data that arguably rarely changes. I think in general this should be done at "write" time not at "read" time. Ie whenever the the session recording configuration changes or when a new user is written in the cache, then you should check if session recording apply to this user and write an attribute in the user entry. On getpwnam/uid/ent calls you would look for those calls and replace the shell entry accordingly. Unless there is some very good reason to do it always at query time this is, I am afraid, a nack on the approach. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
