On Tue, 19 Oct 2010 09:59:21 -0400 Stephen Gallagher sgallagh@redhat.com wrote:
My main concern with adding a new interface would be buy-in from all of the assorted name-service providers (nss_nis, nss_ldap, etc.). Lets be honest: even if we created this new interface, the most likely outcome is that the libraries are just going to continue processing the way that they do already, and then just reply with a limited subset of the results.
The main concern here I think is that of making a substantial effort to change a lot of applications to use an interface that is only marginally better for just one use case. I am not sure it is worth the effort given the very meager gains you get.
Creating the groups in our SSSD cache without including membership information introduces integrity issues when we're dealing with offline operation, for example. If access control for some application relies on group membership, but our cache only has reference to the group and its GID, without a list of members, then when we're offline and can't request further information, we'll improperly deny access.
This shouldn't be a real problem, as all group memberships relevant to logged in users must be fetched at login time. And only users that previously logged in are allowed to login again or keep stay logged when offline.
Simo.