URL: https://github.com/SSSD/sssd/pull/234 Author: jhrozek Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf Action: edited
Changed field: body Original value: """ This PR should fix the bug we were seeing in the HBAC evaluation of users from a trusted AD domain where the originalMemberOf didn't match the memberOf attributes. Because maintaining the originalMemberOf attributes is fragile, let's instead dereference the memberOf attribute and look at the names of the groups this way. There is one unresolved issue in the patch - how to filter the groups from a single domain. The most error-prone method would be to just do a search by name with a domain set, but that would mean N searches for N groups. Alternatively, if other developers don't think that is too much of a hack, we could just construct a base DN of the IPA domain sysdb group container and pop the RDN from the DN of the object examined and compare the two. That would be reasonably fast. """
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
