IPA: Use GC for group lookups in server mode

https://fedorahosted.org/sssd/ticket/2412

Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.

Reviewed-by: Pavel Reichl <preichl@redhat.com>

1 files changed, 9 insertions, 5 deletions

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 659bc7c2c..83f913cb9 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
     }
     sdap_id_ctx = ad_id_ctx->sdap_id_ctx;
 
-    /* Currently only LDAP port for AD is used because POSIX
-     * attributes are not replicated to GC by default
+    /* We read users and groups from GC. From groups, we may switch to
+     * using LDAP connection in the group request itself, but in order
+     * to resolve Universal group memberships, we also need the GC
+     * connection
      */
-
-    if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
+    switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
+    case BE_REQ_INITGROUPS:
+    case BE_REQ_GROUP:
         clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
         if (clist == NULL) {
             ret = ENOMEM;
             goto fail;
         }
-    } else {
+        break;
+    default:
         clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
         if (clist == NULL) {
             ret = ENOMEM;