summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-07 11:29:51 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-11-12 00:22:05 +0100
commit3b1bd1911d315c33bc81e4cd287807484feeebbc (patch)
tree5c6c908c8dfa123def5da7a41f8d6eb6aa78c23f
parent068dc82f738fe1fd6f7206f89904a1ff966b7ee3 (diff)
downloadsssd-3b1bd1911d315c33bc81e4cd287807484feeebbc.tar.gz
sssd-3b1bd1911d315c33bc81e4cd287807484feeebbc.tar.xz
sssd-3b1bd1911d315c33bc81e4cd287807484feeebbc.zip
Do not remove a group if it has members from subdomains
Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.
-rw-r--r--src/providers/ldap/ldap_id_cleanup.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
index e65356d58..9c2faabb2 100644
--- a/src/providers/ldap/ldap_id_cleanup.c
+++ b/src/providers/ldap/ldap_id_cleanup.c
@@ -395,6 +395,7 @@ static int cleanup_groups(TALLOC_CTX *memctx,
int ret;
int i;
const char *posix;
+ struct ldb_dn *base_dn;
tmpctx = talloc_new(memctx);
if (!tmpctx) {
@@ -436,10 +437,12 @@ static int cleanup_groups(TALLOC_CTX *memctx,
posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL);
if (!posix || strcmp(posix, "TRUE") == 0) {
/* Search for users that are members of this group, or
- * that have this group as their primary GID
+ * that have this group as their primary GID.
+ * Include subdomain users as well.
*/
gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
- subfilter = talloc_asprintf(tmpctx, "(|(%s=%s)(%s=%lu))",
+ subfilter = talloc_asprintf(tmpctx, "(&(%s=%s)(|(%s=%s)(%s=%lu)))",
+ SYSDB_OBJECTCLASS, SYSDB_USER_CLASS,
SYSDB_MEMBEROF, dn,
SYSDB_GIDNUM, (long unsigned) gid);
} else {
@@ -451,8 +454,16 @@ static int cleanup_groups(TALLOC_CTX *memctx,
goto done;
}
- ret = sysdb_search_users(tmpctx, sysdb,
- subfilter, NULL, &u_count, &u_msgs);
+ base_dn = sysdb_base_dn(sysdb, tmpctx);
+ if (base_dn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Failed to build base dn\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_search_entry(tmpctx, sysdb, base_dn,
+ LDB_SCOPE_SUBTREE, subfilter, NULL,
+ &u_count, &u_msgs);
if (ret == ENOENT) {
const char *name;