On Mon, Sep 24, 2018 at 11:46:08AM -0400, Simo Sorce wrote:
On Mon, 2018-09-24 at 16:44 +0200, Michael Ströder wrote:
> On 9/24/18 4:22 PM, Simo Sorce wrote:
> > For groups I would expect us to merge memberships in rfc2307 mode,
> If you really want to implement such merging then please disable
> it by default. So that it must be explicitly enabled after careful
Yes it would have to be optional and disabled by default, we do not
want to promote bad practices.
What we can do to make the code more predictable (albeit slower) is to
always "reverse resolve" by gid (and by name) whenever a search by name
(or by gid) is performed, so duplicates are always consistently dealt
with (either first in alphabetic order only or always completely fail
to accept a group with duplicate gid (or name).
btw this is what the proxy provider does (why only the proxy provider I
don't know..maybe because there we don't have any other means to detect
what kind of an object this is, like original DN)