Re: [PATCH] Nested groups
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [PATCH] Nested groups
- From: Marcus Moeller <mail [at] marcusmoeller.ch>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: [PATCH] Nested groups
- Date: Mon, 25 Mar 2013 08:45:07 +0100
Hi all.
Thanks for providing the patch, looks very interesting. One thing that
I'm still looking into is limiting the search depth in some way to be
able to limit the recursion to not go wild when one group has another
group as a member and vice versa.
I have just pushed an implementation of this functionality to Git. It is
loosely based on the provided patch but has bit more elaborate
implementation and also handles things gracefully if two groups have
each other as member or a group has itself as member with minimal number
of lookups (for both the forward and reverse lookups).
For the forward lookup (get members belonging to a group) a list of
member groups is kept to check. After the normal group members are
processed the member groups are processed in a queue-like fashion where
further found sub-groups are added to the queue.
For the reverse lookup (get groups that have a certain member) something
similar is done. First the groups that have the user as member are
listed and then for each of these groups the groups are found that have
the group as a member (again with a queue).
For both operations this means that only one extra LDAP search operation
is running at the same time. Both lookups also have a mechanism to
ensure a group is examined only once per lookup.
For the forward lookups this shouldn't result in extra searches if no
nested groups are used but it will slow down the reverse search because
for each group found an extra search is performed. For this reason a
nss_nested_groups configuration option was added which can be used to
enable this new functionality (default is false).
This functionality will be released in the upcoming 0.9.0 release. If it
is thoroughly tested it could be backported to the 0.8 series. Feedback
is more than welcome!
I have not taken a look at the code yet, but we need to make sure that
this feature can either been disabled and/or the nested group depth can
be specified.
We got a large number of nested groups here with reverse nesting, which
might lead to extreme long lookup times, otherwise.
Greets
Marcus
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/