AD user in external group is not cleared when expiring the cache

[sumit-bose]

After removing a user from the trusted AD domain from an external IPA group, e.g. with a command similar to
ipa group-remove-member test_group_ext --external administrator@samba.test
the group-memberships of the user are not removed from the groups the external group is a member of even after the cached entry if the user is expired.

The trigger to reproduce the issue is to disable the tokengroups lookup by setting ldap_use_tokengroups = False and making sure the this options is inherited by the SSSD sub-domains by setting subdomain_inherit = ldap_use_tokengroups.

[sumit-bose]

https://issues.redhat.com/browse/RHEL-77184

[alexey-tikhonov]

Pushed PR: #7922

• master
  • 596bc5f - sdap: include sub-domain memberships in updates
• sssd-2-9
  • 50ebb74 - sdap: include sub-domain memberships in updates
• sssd-2-9-4
  • 8e60322 - sdap: include sub-domain memberships in updates

[alexey-tikhonov]

Fix introduces a perf hit when a trusted AD user is a member of a very large list of ipa external groups.