I'm attaching an initial draft of the implementation of ignore_group_members per ticket #1376. I still need to update the documentation (and some python code in SSSDConfig it looks like), but functionality wise this prevents ldap from requesting the member attribute and sssd from returning any cached members that might be left in the local db. As this is my first attempt at working with sssd, I wanted to get early feedback in case I'm doing something silly ;).
Also, regarding the comment on the ticket:
"The trickiest piece of this functionality would be ensuring that we don't delete existing member/memberOf linkages from the cache during group lookups that were put there by previous initgroups() requests. Thus, when this option is in play, member/memberOf should only be managed by initgroups() calls."
My understanding of this is that an initgroups call will set up some state in the cache regarding members of groups, and a getgrnam or getgrgid call that skips retrieving the member attribute will wipe these out of the cache. However, it's also my understanding that *every* initgroups call hits ldap directly to make sure stale data isn't used for authorization purposes. If so, why do we care that the data in the cache, which isn't going to be used, gets wiped out? When ignore_group_members is enabled, the only thing that cares about group members is initgroups, correct?
Thanks...