File 0013-SYSDB-in-case-ignore_group_members-true-group-is-act.patch of Package sssd.39837
From d3c3408e0ef1df13c8c4d7fb6dc394fdb9a0886c Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sat, 10 Jun 2023 16:28:23 +0200
Subject: [PATCH] SYSDB: in case (ignore_group_members == true) group is
actually complete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Example workflow:
- SSSD client is enrolled into AD domain (Token-Groups are enabled)
- `id $user` is executed
- initgroups() is called for this user
- during processing of initgroups() sssd_be obtains a list of group SIDs
user is a member of, and then partially resolves those groups and adds
it to the local cache as "incomplete" (i.e. 'expired')
- as a next step `id` calls getgrnam() for every group in initgroups() list
- since groups are saved into the cache as "incomplete" (technically - "expired")
this again results in LDAP search of this group.
But if `ignore_group_members = true` this search doesn't provide
new information. "Incomplete" groups could be used instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b)
---
src/db/sysdb_ops.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index d11d8d956..7a3c00213 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2307,8 +2307,10 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now);
if (ret) goto done;
+ /* in case (ignore_group_members == true) group is actually complete */
ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
- now-1);
+ domain->ignore_group_members ?
+ (now + domain->group_timeout) : (now-1));
if (ret) goto done;
ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, posix);
--
2.49.0
