On Wed, Sep 11, 2013 at 02:40:14PM +0200, Pavel Březina wrote:
https://fedorahosted.org/sssd/ticket/2064
These patch set depends on: [PATCH] ad: store group in correct tree on initgroups via tokenGroups
You can also pull it with all dependencies from my repository: fedorapeople.org:public_git/sssd.git #ad-groups
The fundamental changes in this patch set are:
- lookup groups in global catalog
- pick up member domain from its originalDN
From 0273d17f24eac7b60dfc0515a9e3b97ad16d1199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= pbrezina@redhat.com Date: Mon, 9 Sep 2013 15:52:03 +0200 Subject: [PATCH 1/9] ad: shortcut if possible during get object by ID or SID
When getByID or getBySID comes from responder, the request doesn't necessarily have to contain correct domain, since responder iterates over all domains until it finds a match.
Every domain has its own ID range, so we can simply shortcut if domain does not match and avoid LDAP round trip. Responder will continue with next domain until it finds the correct one.
This patch seems OK to me, but I'd like a second look from someone who understands the ranges better (which is probably Sumit)
From f74d4637980438032649dfbf079fa6c839862586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= pbrezina@redhat.com Date: Tue, 10 Sep 2013 10:40:06 +0200 Subject: [PATCH 2/9] ad: simplify get_conn_list()
It was originally design to return list of connection objects, it really always work with only one connection.
I'd like to review this patch and the following along with my patches to look up POSIX IDs in GC, they touch the same code.
From ad5dc9e7557ef605fc5d7fc759e5cb6c2f9a148c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= pbrezina@redhat.com Date: Tue, 10 Sep 2013 14:45:50 +0200 Subject: [PATCH 4/9] sdap_domain_add(): fix possible memory leak
ACK.
From 9f2c212e01700289d70002c8c39b732ca6c11cee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= pbrezina@redhat.com Date: Tue, 10 Sep 2013 14:45:52 +0200 Subject: [PATCH 5/9] sdap: store base dn in sdap_domain
Groups may contain members from different domains. Remembering base dn in domain object gives us the ability to simply lookup correct domain by comparing object dn with domain base dn.
I haven't tested these patches yet.