URL: https://github.com/SSSD/sssd/pull/5784 Title: #5784: proxy: allow removing group members
alexey-tikhonov commented: """ Hi @ikerexxe ,
I've left few comment inline. In general patch should work.
But the first question to answer:
You search for groups user is currently member of (`SYSDB_MEMBEROF`) => got list of DNs => convert every DN to RDN (group name) => and then for every RDN you iterate over initgroups GID list to get a group name of every GID => convert it to FQDN and then do a string comparison (RDN with FQDN), right?
This feels extremely inefficient: you repeat **the same set** of lookups and conversions over initgroups GIDs for every RDN (and it will be also repeated later in `get_initgr_groups_process()`::`NSS_STATUS_SUCCESS`)...
Wouldn't it make sense to instead lookup GID of SYSDB_MEMBEROF DN and compare GIDs (numerical values)? (If this is not feasible then at the very least you should compose a list of RDNs first and then do initgroups GIDs iteration once)
@sumit-bose , can it happen (is it supported) two groups in different domains have the same GID? """
See the full comment at https://github.com/SSSD/sssd/pull/5784#issuecomment-933460178