On Mon, 2018-09-24 at 16:44 +0200, Michael Ströder wrote:
On 9/24/18 4:22 PM, Simo Sorce wrote:
> For groups I would expect us to merge memberships in rfc2307 mode,
If you really want to implement such merging then please disable
it by default. So that it must be explicitly enabled after careful
consideration.
Yes it would have to be optional and disabled by default, we do not
want to promote bad practices.
What we can do to make the code more predictable (albeit slower) is to
always "reverse resolve" by gid (and by name) whenever a search by name
(or by gid) is performed, so duplicates are always consistently dealt
with (either first in alphabetic order only or always completely fail
to accept a group with duplicate gid (or name).
This check can be optimized on servers that support dereference
controls.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc