IPA: Use GC for group lookups in server mode

https://fedorahosted.org/sssd/ticket/2412

Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)

1 files changed, 9 insertions, 5 deletions

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 5517602a6..9a90bc2d6 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
     }
     sdap_id_ctx = ad_id_ctx->sdap_id_ctx;
 
-    /* Currently only LDAP port for AD is used because POSIX
-     * attributes are not replicated to GC by default
+    /* We read users and groups from GC. From groups, we may switch to
+     * using LDAP connection in the group request itself, but in order
+     * to resolve Universal group memberships, we also need the GC
+     * connection
      */
-
-    if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
+    switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
+    case BE_REQ_INITGROUPS:
+    case BE_REQ_GROUP:
         clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
         if (clist == NULL) {
             ret = ENOMEM;
             goto fail;
         }
-    } else {
+        break;
+    default:
         clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
         if (clist == NULL) {
             ret = ENOMEM;