There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B.
The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces.
The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
I've tested this with plain RFC2307bis and IPA schema, more tests are welcomed.
Thanks Jan
On Wed, 2012-06-13 at 11:32 +0200, Jan Zelený wrote:
There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B.
The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces.
The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
I've tested this with plain RFC2307bis and IPA schema, more tests are welcomed.
In general, I think this would be better handled by the memberOf plugin, but I see the difficulty with doing that. Jan, please open a ticket to move this functionality into memberOf some time in the nebulous future.
Ack.
On Wed, 2012-06-13 at 09:55 -0400, Stephen Gallagher wrote:
On Wed, 2012-06-13 at 11:32 +0200, Jan Zelený wrote:
There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B.
The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces.
The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
I've tested this with plain RFC2307bis and IPA schema, more tests are welcomed.
In general, I think this would be better handled by the memberOf plugin, but I see the difficulty with doing that. Jan, please open a ticket to move this functionality into memberOf some time in the nebulous future.
Ack.
Pushed to master.
On Wed, 2012-06-13 at 11:32 +0200, Jan Zelený wrote:
There was an issue with ghost members in nested groups. Consider a scenario with two groups A and B, B being member of A and having some ghost members. In such case SSSD stored both groups, then added membership between them and then added ghost members to the group B.
The problem was that adding ghost members to group B didn't propagate these ghost members to group A. This functionality could have been solved by memberof plugin but the logic is far more complicated that changes this patch introduces.
The change is simple: add ghost members at the same time as the group is created, even if groups are supposed to be stored in two passes. That way ghost members will be present at the time A -> B membership is created and they will be propagated as expected.
I've tested this with plain RFC2307bis and IPA schema, more tests are welcomed.
In general, I think this would be better handled by the memberOf plugin, but I see the difficulty with doing that. Jan, please open a ticket to move this functionality into memberOf some time in the nebulous future.
The ticket is here: https://fedorahosted.org/sssd/ticket/1375
Thanks Jan
sssd-devel@lists.fedorahosted.org