From 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sat, 10 Jun 2023 16:28:23 +0200 Subject: [PATCH] SYSDB: in case (ignore_group_members == true) group is actually complete MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Example workflow: - SSSD client is enrolled into AD domain (Token-Groups are enabled) - `id $user` is executed - initgroups() is called for this user - during processing of initgroups() sssd_be obtains a list of group SIDs user is a member of, and then partially resolves those groups and adds it to the local cache as "incomplete" (i.e. 'expired') - as a next step `id` calls getgrnam() for every group in initgroups() list - since groups are saved into the cache as "incomplete" (technically - "expired") this again results in LDAP search of this group. But if `ignore_group_members = true` this search doesn't provide new information. "Incomplete" groups could be used instead. Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose Reference: https://github.com/SSSD/sssd/commit/2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b Conflict: NA --- src/db/sysdb_ops.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index d11d8d956..7a3c00213 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -2307,8 +2307,10 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain, ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now); if (ret) goto done; + /* in case (ignore_group_members == true) group is actually complete */ ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, - now-1); + domain->ignore_group_members ? + (now + domain->group_timeout) : (now-1)); if (ret) goto done; ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, posix); -- 2.27.0