diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2013-09-11 14:01:31 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-30 22:45:26 +0100 |
| commit | 05f6866b89f790e25510b7eeca88ded617294011 (patch) | |
| tree | 710280459ba3135ab7a38fe7acce64a001e7fb67 | |
| parent | b6a867be96dbe802c8dc8a9ce635040ecf77b56f (diff) | |
| download | sssd-05f6866b89f790e25510b7eeca88ded617294011.tar.gz sssd-05f6866b89f790e25510b7eeca88ded617294011.tar.xz sssd-05f6866b89f790e25510b7eeca88ded617294011.zip | |
nested groups: pick correct domain for cache lookups
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
| -rw-r--r-- | src/providers/ldap/sdap_async_nested_groups.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index 7040c6e9b..fafbb36ba 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -329,11 +329,14 @@ done: } static errno_t -sdap_nested_group_check_cache(struct sss_domain_info *domain, +sdap_nested_group_check_cache(struct sdap_options *opts, + struct sss_domain_info *domain, const char *member_dn, enum sdap_nested_group_dn_type *_type) { TALLOC_CTX *tmp_ctx = NULL; + struct sdap_domain *sdap_domain = NULL; + struct sss_domain_info *member_domain = NULL; char *sanitized_dn = NULL; char *filter = NULL; errno_t ret; @@ -355,8 +358,12 @@ sdap_nested_group_check_cache(struct sss_domain_info *domain, goto done; } + /* determine correct domain of this member */ + sdap_domain = sdap_domain_get_by_dn(opts, member_dn); + member_domain = sdap_domain == NULL ? domain : sdap_domain->dom; + /* search in users */ - ret = sdap_nested_group_sysdb_search_users(domain, filter); + ret = sdap_nested_group_sysdb_search_users(member_domain, filter); if (ret == EOK || ret == EAGAIN) { /* user found */ *_type = SDAP_NESTED_GROUP_DN_USER; @@ -367,7 +374,7 @@ sdap_nested_group_check_cache(struct sss_domain_info *domain, } /* search in groups */ - ret = sdap_nested_group_sysdb_search_groups(domain, filter); + ret = sdap_nested_group_sysdb_search_groups(member_domain, filter); if (ret == EOK || ret == EAGAIN) { /* group found */ *_type = SDAP_NESTED_GROUP_DN_GROUP; @@ -454,7 +461,8 @@ sdap_nested_group_split_members(TALLOC_CTX *mem_ctx, } /* check sysdb */ - ret = sdap_nested_group_check_cache(group_ctx->domain, dn, &type); + ret = sdap_nested_group_check_cache(group_ctx->opts, group_ctx->domain, + dn, &type); if (ret == EOK) { /* found and valid */ DEBUG(SSSDBG_TRACE_ALL, ("[%s] found in cache, skipping\n", dn)); |