On Tue, Nov 08, 2016 at 08:14:20AM +0100, Lukas Slebodnik wrote: > On (26/07/16 22:05), Sumit Bose wrote: > >On Tue, Jul 26, 2016 at 06:06:48PM +0200, Jakub Hrozek wrote: > >> On Tue, Jul 26, 2016 at 05:25:11PM +0200, Jakub Hrozek wrote: > >> > On Tue, Jul 26, 2016 at 01:51:56PM +0200, Sumit Bose wrote: > >> > > > > The third patch adds a sysdb call to recursively resolve all > >> > > > > user-members of a group. Since the groups in SSSD's cache are > >> > > > > hierarchically organized the member attribute only contains direct > >> > > > > user and group members. To get all users the group members must be > >> > > > > resolved recursively. > >> > > > > >> > > > Would dereferencing memberof:top-level-group yield different results? > >> > > > >> > > It worked in my testing but I have to admit that I'm not sure if it can > >> > > be used reliable all the time, i.e. is independent of all the different > >> > > lookup sequences you can have with nested groups. If you are sure it is > >> > > reliable, the call can be simplified. > >> > > >> > This is how memberof is supposed to work. I haven't tested all > >> > scenarios either (if there are some corner cases you'd like me to test, > >> > just let me know), but if there are differences, I would say these would > >> > be bugs in the memberof plugin and should be fixed. > >> > >> btw the patches seem to work fine, I tested getent passwd on an > >> overriden user, getent group on a group this user is a memberof (both an > >> AD group and an IPA group with an external group in it) and id of this > >> user. > >> > >> All lookups show the expected data. Coverity is clean and CI passed. > >> > >> Therefore provisional ACK - the only remaining point remains the recursive > >> member vs. memberof part. I don't mind accepting the patch as-is now, > >> if we agree to open a ticket and switch to memberof later in 1.14. > > > >Please have a look at attached patch, it replaces the recursive member > >based lookup by a (memberof=group_dn) search. It works well for me in > >some basic tests. > > > >bye, > >Sumit > > > > >From ee8ebcec8062d75e98da796b291973fd96d45b1c Mon Sep 17 00:00:00 2001 > >From: Sumit Bose <sb...@redhat.com> > >Date: Tue, 26 Jul 2016 21:30:41 +0200 > >Subject: [PATCH] sysdb_get_user_members_recursively: use memberof search > > > >--- > > src/db/sysdb_ops.c | 181 > > ++++------------------------------------ > > src/tests/cmocka/test_nss_srv.c | 30 +++---- > > 2 files changed, 33 insertions(+), 178 deletions(-) > > > Jakub, > > is there a reason why this patch has not been pushed to master yet?
Please see the earlier replies in this thread. We agreed with Sumit to squash this patch into the previous ones, so if you take a look at 17bfd9f69251781140e4b2b55ffeb649d7a79e86 it already uses memberof search. _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
