ee44aac Download complete groups if ignore_group_members is set with tokengroups

Authored and Committed by jhrozek 9 years ago
    Download complete groups if ignore_group_members is set with tokengroups
    
    Resolves:
        https://fedorahosted.org/sssd/ticket/2644
    
    When tokenGroups are enabled, we save groups using their SID as the RDN
    attribute during initgroups() and later, if the groups is requested and saved
    again with the full name, remove the original and save the new group entry.
    
    Saving the new group entry would break if ignore_group_members is also
    set, because the new group entry would lack the "member" attribute, so the
    member/memberof links between the new group and the user entry wouldn't
    be established again.
    
    This patch changes the initgroups processing so that the full group
    object is fetched when initgroups is enabled but together with
    ignore_group_members. This solution imposes some performance impact,
    because instead of one search for tokenGroups we also need to resolve the
    groups. The more systematic solution would be to get rid of removing the
    group entry as described in https://fedorahosted.org/sssd/ticket/2656
    
    To reproduce the bug, set: ignore_group_members = True with a
    backend that uses:
        id_provider = ad
    Then run:
        $ id aduser@ad_domain.com
        $ id aduser@ad_domain.com
    
    Reviewed-by: Sumit Bose <sbose@redhat.com>