nested groups: pick correct domain for cache lookups

Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
author: Pavel Březina <pbrezina@redhat.com> 2013-09-11 14:01:31 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-10-30 22:54:40 +0100
commit: fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0 (patch)
tree: 470a24ecf01ab520603b9115e9abb1123202bbf1
parent: d1fd7269420dfdb46cf60e138af6ba051e5ef3bb (diff)
download: sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.tar.gz
sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.tar.xz
sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index 6e7056618..1860b98c3 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -328,11 +328,14 @@ done:
 }
 
 static errno_t
-sdap_nested_group_check_cache(struct sss_domain_info *domain,
+sdap_nested_group_check_cache(struct sdap_options *opts,
+                              struct sss_domain_info *domain,
                               const char *member_dn,
                               enum sdap_nested_group_dn_type *_type)
 {
     TALLOC_CTX *tmp_ctx = NULL;
+    struct sdap_domain *sdap_domain = NULL;
+    struct sss_domain_info *member_domain = NULL;
     char *sanitized_dn = NULL;
     char *filter = NULL;
     errno_t ret;
@@ -354,8 +357,12 @@ sdap_nested_group_check_cache(struct sss_domain_info *domain,
         goto done;
     }
 
+    /* determine correct domain of this member */
+    sdap_domain = sdap_domain_get_by_dn(opts, member_dn);
+    member_domain = sdap_domain == NULL ? domain : sdap_domain->dom;
+
     /* search in users */
-    ret = sdap_nested_group_sysdb_search_users(domain, filter);
+    ret = sdap_nested_group_sysdb_search_users(member_domain, filter);
     if (ret == EOK || ret == EAGAIN) {
         /* user found */
         *_type = SDAP_NESTED_GROUP_DN_USER;
@@ -366,7 +373,7 @@ sdap_nested_group_check_cache(struct sss_domain_info *domain,
     }
 
     /* search in groups */
-    ret = sdap_nested_group_sysdb_search_groups(domain, filter);
+    ret = sdap_nested_group_sysdb_search_groups(member_domain, filter);
     if (ret == EOK || ret == EAGAIN) {
         /* group found */
         *_type = SDAP_NESTED_GROUP_DN_GROUP;
@@ -453,7 +460,8 @@ sdap_nested_group_split_members(TALLOC_CTX *mem_ctx,
         }
 
         /* check sysdb */
-        ret = sdap_nested_group_check_cache(group_ctx->domain, dn, &type);
+        ret = sdap_nested_group_check_cache(group_ctx->opts, group_ctx->domain,
+                                            dn, &type);
         if (ret == EOK) {
             /* found and valid */
             DEBUG(SSSDBG_TRACE_ALL, ("[%s] found in cache, skipping\n", dn));
author	Pavel Březina <pbrezina@redhat.com>	2013-09-11 14:01:31 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-10-30 22:54:40 +0100
commit	fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0 (patch)
tree	470a24ecf01ab520603b9115e9abb1123202bbf1
parent	d1fd7269420dfdb46cf60e138af6ba051e5ef3bb (diff)
download	sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.tar.gz sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.tar.xz sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.zip