[PATCH] LDAP/AD: do not resolve group members during tokenGroups request
by Sumit Bose
Hi,
with this patch I hope to improve the initgroup-request performance
especially is the user is a member of many nested groups. Currently all
groups the user is a member of which are not in the cache are resolved
completely with all members and nested groups. With this patch only the
group object is looked up to determine the type of the group, POSIX GID
(if any), SID, ... Resolving all members is deferred until a request to
resolve this specific groups is received. This should speed up plain
getgrouplist() calls e.g. used by 'id -G'. Please note that this will
not improve the overall speed of a 'id' call without any options because
in this case after calling getgrouplist() 'id' will call getgrgid() for
every GID returned by getgrouplist(). So in this case all groups are
resolved completely as well. But the overall time is now better spread
over many request and chances for timeout should be much lower.
bye,
Sumid
9 years, 1 month
[PATCH] Add missing new lines to debug messages
by Lukas Slebodnik
ehlo,
Attached patch should simplify analysis of log files.
It should be applied to 1-12 branch. I will generate another version for master
after merging all pending big patchsets.
LS
9 years, 1 month
[PATCH] ipa: do not treat missing sub-domain users as error
by Sumit Bose
Hi,
with this patch missing user and groups from trusted domains are not
handled as error anymore but just as unresolvable objects. Please note
that older versions of the IPA extdom plugin did not return
LDAP_NO_SUCH_OBJECT in all cases so this detection only work reliable
with IPA trees which already contain a patch called 'extdom: return
LDAP_NO_SUCH_OBJECT to the client'.
The second patch is just a pre-caution. Currently we unconditionally
dereference retdata if the server returns LDAP_SUCCESS. If for some
reasons the server does not send data in this case SSSD segfaults. This
patch should prevent this. Currently there is no way to test this other
than modifying the server code.
bye,
Sumit
9 years, 1 month
[PATCHES] SSSDConfig: Port missing parts to python3
by Lukas Slebodnik
ehlo,
some parts of sssd was not properly ported to python3.
I know there were changes related to unicode, string and bytes.
I am not sure whether my patches for read and open are correct,
especially patch "SSSDConfig: os.write".
SSSDConfig (python-sssdconfig is used by authconfig and ipa-client-install?
So I don't want to break it.
Please review patches or propose better version.
LS
9 years, 1 month
[PATCH] PAM: use the logon_name as the key for the PAM initgr cache
by Sumit Bose
Hi,
while looking for reasons causing log login times I found that the PAM
initgr cache does not work for subdomain users. This patch should fix
it.
The second patch just contains some extra debugging statements I found
useful while working at the patch. If you think is is too excessive
logging feel free to drop it. Nevertheless I think they might be useful
for users to check if the default pam_id_timeout of 5s is sufficient for
their environment or not.
bye,
Sumit
9 years, 1 month