URL: https://github.com/SSSD/sssd/pull/234
Title: #234: HBAC: Use memberof ASQ search instead of originalMemberOf
jhrozek commented:
"""
On Fri, May 12, 2017 at 04:51:52AM -0700, sumit-bose wrote:
> sumit-bose commented on this pull request.
>
>
>
> > continue;
> - } else if (ret == EOK) {
> - DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
> - users->groups[num_groups], users->name);
> - num_groups++;
> + }
> +
> + /* ..the rest should be a DN in the form of:
> + * cn=groups,cn=ipa_domain_name,cn=sysdb
> + * If not, just skip this DN. Skipping is safe here, because the
> rules
> + * only allow access, never deny, so at worst the user would be
> denied
> + * legitimate access
> + */
> + if (ldb_dn_compare(ipa_groups_basedn, member_group_container) != 0) {
> + DEBUG(SSSDBG_FUNC_DATA, "Skipping non-IPA group %s\n",
> fqgroupname);
>
> Maybe it would be better to print the DN here as well because it might make
> it more visible why the groups was skipped. Additionally see comment about
> fqgroupname below.
Done (locally so far)
"""
See the full comment at
https://github.com/SSSD/sssd/pull/234#issuecomment-301746169
_______________________________________________
sssd-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
