On Sun, Jan 08, 2017 at 09:58:22PM +0100, Fabiano Fidêncio wrote: > I've been working on rhbz#1401241 > (https://bugzilla.redhat.com/show_bug.cgi?id=1401241) and I'd like to > clarify some doubts that showed up. > > So, let's consider that there's a group called "foo" and user "user" > is part of this group. Group "foo" gets renamed to "bar'. Now. let me > describe what I've found out considering "id_provider = ldap" and > "id_provider = ad" > > - id_provider = ldap: > cache has "foo" entry > After renaming "foo" to "bar" > cache has entry "bar" added > both entries have the same gid > > - id_provider = ad > cache has "foo" entry > After renaming "foo" to "bar" > nothing is changed in the cache > > Any of these situation look exactly right for me (and here I'm > probably wrong). My expectations are that we should, for both cases: > - check for the gid in the cache > - update the entry
Unfortunately renaming users and groups is not so easy because of the member and memberof links. The memberof link points from the user to the group and contains the name of the entry they point to, therefore need to be changed one way or another during the group rename. If the group was renamed using ldb_rename(), then the link change should be done by the memberof ldb plugin, but it's not implemented there. Since the memberof plugin only implements add, del and modify operations, we solve this by removing the group and re-adding it with different name in sysdb_store_new_group(). > > So in the ldap case we would avoid having two entries with the same > gid and in the ad case we would be able to properly the updated name > of the group that the user is part of. Does it make sense? I wonder why we have two entries with a duplicate gid in the first place. When saving the duplicate "bar", don't we hit sysdb_store_new_group() -> sysdb_delete_group() ? > > Summing up the questions: > - When a group has its name changed, shall we update the entry that > contains its name (and then all memberOf that contains the old name?)? no, see above > - In case not, following what "id_provider = ad" does would be a good > fix for the issue? after foo is renamed to bar, I would expect foo to go away and bar to be cached. It is expected there would be a slight performance hit, because adding a group is not a trivial operation, but group renaming is sufficiently rare for us to not care too much. > > Looking forward to hearing your opinion! > > Best Regards, > -- > Fabiano Fidêncio > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
