Re: innetgr support?

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Thu, 2015-05-07 at 22:34 +0100, Mark R Bannister wrote:
> I've fixed your patch, it had some typos in it.  Please see attached a
> new patch which is compiling and working correctly.  The patch is in
> DBIS 1.4.5.

Thanks. I've pushed the patch to the master branch.

> Note, however, that when I compile it, I get the following warnings:
[...]
> I couldn't figure out where this const qualifier was.  Can you fix it?

I also fixed the warnings in the commit. The const was part of the
__netgrent struct which was a compatibility struct that is only used as
temporary storage on Solaris.

> > It would also be possible to implement a real innetgr call all the way
> > to nslcd that would then perform an LDAP search with more filters
> > applied but I'm a bit lazy today.
> 
> Actually I was thinking about this and I don't see that it would be
> any more efficient, as a single LDAP search operation is not going to
> process member netgroups.

If you could construct a search that just matches nisNetgroupTriple
attributes you could (perhaps) use the indexes that the LDAP server
provides. It also saves a bit of overhead in the communication between
the NSS module and nslcd.

For example the following call:
  innetgr('group', NULL, 'user', 'dom');
could result in the following search:
  (&(objectClass=nisNetgroup)(cn=group)(nisNetgroupTriple=*,user,dom))
but you would also need extra searches to see if one netgroup is a
member of another netgroup.

Anyway, I think the benefit is also minimal, especially given the number
of people who actually use netgroups.

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/