On Mon, 2018-09-24 at 16:44 +0200, Michael Ströder wrote:
On 9/24/18 4:22 PM, Simo Sorce wrote:
For groups I would expect us to merge memberships in rfc2307 mode,
If you really want to implement such merging then please disable it by default. So that it must be explicitly enabled after careful consideration.
Yes it would have to be optional and disabled by default, we do not want to promote bad practices.
What we can do to make the code more predictable (albeit slower) is to always "reverse resolve" by gid (and by name) whenever a search by name (or by gid) is performed, so duplicates are always consistently dealt with (either first in alphabetic order only or always completely fail to accept a group with duplicate gid (or name).
This check can be optimized on servers that support dereference controls.
Simo.