On Wed, Sep 07, 2016 at 02:57:15PM +0300, Nikolai Kondrashov wrote: > On 08/29/2016 11:47 PM, Sumit Bose wrote: > > Finally you call sysdb_initgroups_with_views() to get the list of groups > > the user is a member of and compare them with the groups form the > > session_recording configuration. Since you compare the DNs I think this > > can be improved a bit. sysdb_initgroups_with_views() does a dereference > > search based on the memberOf attribute of the user which holds the DNs > > of all the groups the user is a member of. But since you only need > > the DNs of the groups for the comparison you can just add the memberOf > > attribute to the attribute list in nss_cmd_getpwnam_search() and friends > > to make the DNs of the groups available in > > session_recording_is_enabled(). > > And one more question: the above basically means that we need to make > sysdb_getpwnam retrieve "memberOf" as well. Do we want to do that? > > If yes, do we want to do that unconditionally, or change the interface to have > that optional (ugh)?
It might be better to not do it unconditionally because it might cause some unwanted processing and memory allocations. A new sysdb_getpwnam_ex() call with new parameter for the needed attributes might work. But as with your other questions, all this might not be needed if a session recording attribute as suggested by Simo can be used. Then only this attribute must be added to the default list of sysdb_getpwnam(). bye, Sumit > > Do we want to change sysdb_enumpwent_filter (used in setpwent) to do that as > well? > > We went through some of this in a chat a while ago, but I just want to be > sure. > > Thanks! > > Nick > _______________________________________________ > sssd-devel mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
