URL:
https://github.com/SSSD/sssd/pull/5784
Title: #5784: proxy: allow removing group members
alexey-tikhonov commented:
"""
Hi @ikerexxe ,
I've left few comment inline. In general patch should work.
But the first question to answer:
You search for groups user is currently member of (`SYSDB_MEMBEROF`) => got list of DNs
=> convert every DN to RDN (group name) => and then for every RDN you iterate over
initgroups GID list to get a group name of every GID => convert it to FQDN and then do
a string comparison (RDN with FQDN), right?
This feels extremely inefficient: you repeat **the same set** of lookups and conversions
over initgroups GIDs for every RDN (and it will be also repeated later in
`get_initgr_groups_process()`::`NSS_STATUS_SUCCESS`)...
Wouldn't it make sense to instead lookup GID of SYSDB_MEMBEROF DN and compare GIDs
(numerical values)?
(If this is not feasible then at the very least you should compose a list of RDNs first
and then do initgroups GIDs iteration once)
@sumit-bose , can it happen (is it supported) two groups in different domains have the
same GID?
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5784#issuecomment-933460178