URL:
https://github.com/SSSD/sssd/pull/136
Title: #136: Tlog integration WIP
spbnick commented:
"""
I've pushed a draft rewrite using cache_req and data provider. The
functionality is very basic and is mostly a proof-of-concept with no intent to
be efficient.
For each entry returned for a request for user information in cache_req, it
fires off an initgr request. On the data provider side, that initgr request is
post-processed to include a "sessionRecording" attribute, if selective session
recording is enabled. That attribute specifies if the user name, or names of
the groups it's member of, match any of the user or group names in the session
recording configuration. Back in cache_req, that attribute is copied over the
returned entry.
Once the entries get to NSS, if unconditional session recording is enabled
(scope = all), or if selective session recording is enabled (scope = some) and
the entry has sessionRecording attribute set to true, the user shell is
replaced with the session recording shell.
Things still to do:
* retrieve and use override_space instead of hardcoding
* make sure initgr is fired only if there are groups to match against and
SYSDB_INITGR_EXPIRE has expired
* things I missed (please tell!)
Regarding the second item, isn't cache_req already ensuring that initgr
request is only sent when SYSDB_INITGR_EXPIRE is sent, so we don't have to do
anything about that?
I'd be glad to hear @pbrezina and @sumit-bose opinions on this so far. Thanks!
"""
See the full comment at
https://github.com/SSSD/sssd/pull/136#issuecomment-288411475