I'm attaching an initial draft of the implementation of
ignore_group_members per ticket #1376. I still need to update the
documentation (and some python code in SSSDConfig it looks like), but
functionality wise this prevents ldap from requesting the member
attribute and sssd from returning any cached members that might be left
in the local db. As this is my first attempt at working with sssd, I
wanted to get early feedback in case I'm doing something silly ;).
Also, regarding the comment on the ticket:
"The trickiest piece of this functionality would be ensuring that we
don't delete existing member/memberOf linkages from the cache during
group lookups that were put there by previous initgroups() requests.
Thus, when this option is in play, member/memberOf should only be
managed by initgroups() calls."
My understanding of this is that an initgroups call will set up some
state in the cache regarding members of groups, and a getgrnam or
getgrgid call that skips retrieving the member attribute will wipe these
out of the cache. However, it's also my understanding that *every*
initgroups call hits ldap directly to make sure stale data isn't used
for authorization purposes. If so, why do we care that the data in the
cache, which isn't going to be used, gets wiped out? When
ignore_group_members is enabled, the only thing that cares about group
members is initgroups, correct?
Thanks...