diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-05-29 16:37:54 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-06-19 14:09:45 +0200 |
| commit | ceb393ad6d7ecc41dd9f15b64dd7d94db43a8582 (patch) | |
| tree | 415a422888541be19ed2b5cef10dfaa14967866c | |
| parent | 757b76fbd23ce700b0f8065c91d685dbd07f1cb8 (diff) | |
| download | sssd-ceb393ad6d7ecc41dd9f15b64dd7d94db43a8582.tar.gz sssd-ceb393ad6d7ecc41dd9f15b64dd7d94db43a8582.tar.xz sssd-ceb393ad6d7ecc41dd9f15b64dd7d94db43a8582.zip | |
ldap: use proper sysdb name in groups_by_user_done()
In a recent change set_initgroups_expire_attribute() was added to
groups_by_user_done() to make sure that the initgroups timeout is only
added to the user object until all groups added to the cache.
This change (and the original code in groups_by_user_done() as well)
didn't took sub-domain users into account where the name in sysdb might
different form the original request and the domain is not the configured
domain. This patch tries to ensure that the right name and domain are
used.
https://fedorahosted.org/sssd/ticket/2663
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit d0b7e5fcfca7d0db9e3d19be7b51f34d03d3d720)
(cherry picked from commit edc1538566e7034eea9b8d592206fbc236233dff)
| -rw-r--r-- | src/providers/ldap/ldap_id.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index bf4a344be..ab981faf6 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -1085,6 +1085,7 @@ static void groups_by_user_done(struct tevent_req *subreq) struct groups_by_user_state); int dp_error = DP_ERR_FATAL; int ret; + const char *cname; ret = sdap_get_initgr_recv(subreq); talloc_zfree(subreq); @@ -1108,17 +1109,25 @@ static void groups_by_user_done(struct tevent_req *subreq) return; } + /* state->name is still the name used for the original request. The cached + * object might have a different name, e.g. a fully-qualified name. */ + ret = sysdb_get_real_name(state, state->domain->sysdb, state->domain, + state->name, &cname); + if (ret != EOK) { + cname = state->name; + DEBUG(SSSDBG_OP_FAILURE, "Failed to canonicalize name, using [%s].\n", + cname); + } + if (ret == ENOENT && state->noexist_delete == true) { - ret = sysdb_delete_user(state->ctx->be->domain->sysdb, - state->ctx->be->domain, state->name, 0); + ret = sysdb_delete_user(state->domain->sysdb, state->domain, cname, 0); if (ret != EOK && ret != ENOENT) { tevent_req_error(req, ret); return; } } - ret = set_initgroups_expire_attribute(state->ctx->be->domain, - state->name); + ret = set_initgroups_expire_attribute(state->domain, cname); if (ret != EOK) { state->dp_error = DP_ERR_FATAL; tevent_req_error(req, ret); |