I ran a simple experiments with sssd:
- create a “cyclic group” g1 -> g2 -> g1
- create a “self loop” g1 -> g1
both cases seem supported by sssd. Group members are returned consistently by
[root@vm7 nethserver]# getent group g1
[root@vm7 nethserver]# getent group g2
Furthermore, cycles seem to be allowed in AD and RSAT tools. Some (poorly implemented) third party apps could not cope with them. There are some scripts around that analyze the LDAP db and report cycles.
In the end, I think we can retain the current implementation and allow group cycles because the underlying implementation allows them.
What do you think? /cc @dnutan