packages/sssd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sssd/backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch
fly_fzc bcf7f22f07 backport upstream patches 
(cherry picked from commit dfd154fc1eab69ccf7205c936abb022bbd1fb80a)
2023-09-22 17:05:18 +08:00

51 lines
2.0 KiB
Diff
Raw Blame History

From 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sat, 10 Jun 2023 16:28:23 +0200
Subject: [PATCH] SYSDB: in case (ignore_group_members == true) group is
actually complete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Example workflow:
- SSSD client is enrolled into AD domain (Token-Groups are enabled)
- `id $user` is executed
- initgroups() is called for this user
- during processing of initgroups() sssd_be obtains a list of group SIDs
user is a member of, and then partially resolves those groups and adds
it to the local cache as "incomplete" (i.e. 'expired')
- as a next step `id` calls getgrnam() for every group in initgroups() list
- since groups are saved into the cache as "incomplete" (technically - "expired")
this again results in LDAP search of this group.
But if `ignore_group_members = true` this search doesn't provide
new information. "Incomplete" groups could be used instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b
Conflict: NA
---
src/db/sysdb_ops.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index d11d8d956..7a3c00213 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2307,8 +2307,10 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now);
if (ret) goto done;
+ /* in case (ignore_group_members == true) group is actually complete */
ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
- now-1);
+ domain->ignore_group_members ?
+ (now + domain->group_timeout) : (now-1));
if (ret) goto done;
ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, posix);
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink