Re: Questions: Recursive group lookup
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Questions: Recursive group lookup
- From: Jan Schampera <jan.schampera [at] web.de>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Reply-to: jan.schampera [at] web.de
- Subject: Re: Questions: Recursive group lookup
- Date: Sun, 31 Jan 2010 17:42:09 +0100
> The only way (to really catch all) I see is to (recursively)
> getmembers() all known groups, maybe with some less exclusions before,
> but... That sounds *heavy*. Though I remember some setting in the PADL
> modules about the initgroup implementation being recursive or not, and
> the performance loss. It could be that this is the only way.
I have a rough imagination about a search algo that is a little bit
optimized. Below is the code in TheBonsaiPseudoCode(TM)...
ITERATE (all posixGroup objects) AS group;
IF (groupDN.memberUID == UID)
grouplist += group.cn;
seenlist += group.dn;
next iteration;
END IF;
IF (group.uniqueMember == DN of UID)
grouplist += group.cn;
seenlist += group.dn;
next iteration;
END IF;
IF ((group.uniqueMember ==
DN of object with (objectClass == posixGroup))
&& ! (group.uniqueMember in seenlist))
memberslist := getmembers of group.uniqueMember;
IF (UID in memberslist)
grouplist += group.cn;
seenlist += group.dn;
next iteration;
END IF;
END IF;
seenlist += group.dn;
END ITERATE;
The idea is to exclude direct group assignments first, and only go
deeper when a group is referenced. Also maintain a list of already
inspected group DNs to not work too much. The part which gets the group
members doesn't need to be recursive here (it would slow down anyways).
Any optimization potential here? Something I don't know about LDAP
searches or so?
Jan
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users