On Wed 14 Nov 2012 01:24:15 AM EST, Paul B. Henson wrote:
On Nov 13, 2012, at 9:06 PM, Simo Sorce <s...@redhat.com> wrote:
Well my concern is allowing people to get the perf. benefit you need, as
you may not be the only one who needs it, w/o causing issues for those
apps that will use getgrnam() or getgrgid() to check stuff.
If you have a reliance on an app using getgr lookups, you probably shouldn't enable an
option called "ignore_group_members" ;). The trade off you're making for that
increased performance is that you're not going to get group members via that interface.
I just don't see a mechanism that returns a subset of members depending on who's happened
to log in recently as desirable. From a sysadmin perspective, I'd rather it reproducibly
returns no members than return a potentially different subset on each call. "Hmm,
the app seems to work right after bob logs in but then stops working a few hours
later"...
For what it's worth, I agree with Paul here. If someone is setting
'ignore_group_members', they're already explicitly stating that they
don't want to see group members come back from 'getgrnam()'. We should
be guaranteed consistency here.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
