On Wed, May 30, 2012 at 10:18:00AM +0200, Jan Zelený wrote:
> On Tue, May 29, 2012 at 10:56:51AM +0200, Jan Zelený wrote:
> > > On Mon, May 28, 2012 at 05:11:07PM +0200, Jan Zelený wrote:
> > > > The first patch (#131) adds the functionality and updates all parts
> > > > of code which use it.
> > > >
> > > > The second patch (#132) utilizes the exclusion when retrieving data
> > > > for initgroups.
> > >
> > > This breaks nested group processing in the IPA provider. We use the
> > > member attribute there to construct correct memberships between groups.
> >
> > I'm pretty sure I tested IPA provider and everything was ok. Are you sure
> > this applies to initgroups operation?
> >
> > Thanks
> > Jan
>
> Yes, see sdap_initgr_store_user_memberships and
> sdap_initgr_nested_get_direct_parents
You were indeed right. I didn't catch it during testing because deref code was
not triggered in my test case. I removed the part for nested initgroups code
subtree. I re-tested the patch and the rest of it is ok and should not cause
any issues. Sending in attachment.
Thanks
Jan
OK, ack