AD: Add a new option to turn off GC lookups

SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.

This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.

6 files changed, 58 insertions, 13 deletions

diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 9f606f6c4..00e8968d2 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -5,6 +5,7 @@ ad_backup_server = str, None, false
 ad_hostname = str, None, false
 ad_enable_dns_sites = bool, None, false
 ad_access_filter = str, None, false
+ad_enable_gc = bool, None, false
 ldap_uri = str, None, false
 ldap_backup_uri = str, None, false
 ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index e31f87a96..38cc31278 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -228,6 +228,23 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ad_enable_gc (boolean)</term>
+                    <listitem>
+                        <para>
+                            By default, the SSSD connects to the Global
+                            Catalog first to retrieve users and uses the
+                            LDAP port to retrieve group memberships or
+                            as a fallback. Disabling this option makes
+                            the SSSD only connect to the LDAP port of the
+                            current AD server.
+                        </para>
+                        <para>
+                            Default: true
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>dyndns_update (boolean)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index af0ec8399..a5ea4f587 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1125,26 +1125,31 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
                 struct sss_domain_info *dom)
 {
     struct sdap_id_conn_ctx **clist;
+    int cindex = 0;
 
     clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);
     if (clist == NULL) return NULL;
 
     /* Always try GC first */
-    clist[0] = ad_ctx->gc_ctx;
-    if (IS_SUBDOMAIN(dom) == true) {
-        clist[0]->ignore_mark_offline = false;
-        /* Subdomain users are only present in GC. */
-        return clist;
+    if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) {
+        clist[cindex] = ad_ctx->gc_ctx;
+        if (IS_SUBDOMAIN(dom) == true) {
+            clist[cindex]->ignore_mark_offline = false;
+            /* Subdomain users are only present in GC. */
+            return clist;
+        }
+        /* fall back to ldap if gc is not available */
+        clist[cindex]->ignore_mark_offline = true;
+        cindex++;
     }
 
-    /* fall back to ldap if gc is not available */
-    clist[0]->ignore_mark_offline = true;
-
-    /* With root domain users we have the option to
-     * fall back to LDAP in case ie POSIX attributes
-     * are used but not replicated to GC
-     */
-    clist[1] = ad_ctx->ldap_ctx;
+    if (IS_SUBDOMAIN(dom) == false) {
+        /* With root domain users we have the option to
+         * fall back to LDAP in case ie POSIX attributes
+         * are used but not replicated to GC
+         */
+        clist[cindex] = ad_ctx->ldap_ctx;
+    }
 
     return clist;
 }
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index ed5b8584d..d370cef69 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -42,6 +42,7 @@ enum ad_basic_opt {
     AD_KRB5_REALM,
     AD_ENABLE_DNS_SITES,
     AD_ACCESS_FILTER,
+    AD_ENABLE_GC,
 
     AD_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 8022a1627..5b7b1c89f 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -36,6 +36,7 @@ struct dp_option ad_basic_opts[] = {
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
+    { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
index 648b68f2d..07502b82d 100644
--- a/src/tests/cmocka/test_ad_common.c
+++ b/src/tests/cmocka/test_ad_common.c
@@ -159,6 +159,8 @@ void test_conn_list(void **state)
                                                      struct ad_common_test_ctx);
     assert_non_null(test_ctx);
 
+    assert_true(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,
+                                AD_ENABLE_GC));
     conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);
     assert_non_null(conn_list);
 
@@ -177,6 +179,24 @@ void test_conn_list(void **state)
     assert_false(conn_list[0]->ignore_mark_offline);
     assert_null(conn_list[1]);
     talloc_free(conn_list);
+
+    dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false);
+    assert_false(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,
+                                 AD_ENABLE_GC));
+
+    conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);
+    assert_non_null(conn_list);
+
+    assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
+    assert_false(conn_list[0]->ignore_mark_offline);
+    assert_null(conn_list[1]);
+    talloc_free(conn_list);
+
+    conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom);
+    assert_non_null(conn_list);
+
+    assert_null(conn_list[0]);
+    talloc_free(conn_list);
 }
 
 int main(int argc, const char *argv[])