URL: https://github.com/SSSD/sssd/pull/234
Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf
jhrozek commented:
"""
On Fri, May 12, 2017 at 04:40:57AM -0700, sumit-bose wrote:
> sumit-bose commented on this pull request.
>
>
>
> > if (ret != EOK) {
> DEBUG(SSSDBG_CRIT_FAILURE,
> "Could not determine user memberships for [%s]\n",
> users->name);
> goto done;
> }
>
> - el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
> - if (el == NULL || el->num_values == 0) {
> + /*
> + * Get the name attribute of all groups pointed to by the memberof
> + * attribute. This includes both POSIX and non-POSIX groups.
> + */
> + ret = sysdb_asq_search(tmp_ctx, domain, msg->dn,
>
> I wonder if instead calling sysdb_search_user_by_name() and
> sysdb_asq_search() it might be better to just call sysdb_initgroups(). This
> will return more attributes as we need here but would have the advantage that
> the very same call is used by the client side initgroups calls, so we should
> always get the same results as a 'id' call from the shell as long as there
> are no changes in the cache.
Done (locally so far)
"""
See the full comment at
https://github.com/SSSD/sssd/pull/234#issuecomment-301745828
_______________________________________________
sssd-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
