LDAP: When resolving a SID, search for groups first, then users

https://fedorahosted.org/sssd/ticket/1997 Most of the time, the SIDs are resolved as a call coming from the PAC responder during initgroups. In that case at least, it makes sense to search for group matching that SID first, then users. We may consider making this behaviour configurable ie for the server mode where typically the users should be queried first.
author: Jakub Hrozek <jhrozek@redhat.com> 2013-07-12 17:57:01 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-07-17 13:13:10 +0200
commit: 1bb04648878b7b3e3897484e7cfc2d11725c8014 (patch)
tree: af8fa43bd0b320a77fe77ff54ad26b4be44ef8f5
parent: 9c25d1420ddf482b01bdaba54a15bce8a6f32943 (diff)
download: sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.tar.gz
sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.tar.xz
sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.zip
1 files changed, 18 insertions, 19 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index addb2f3cb..edf5106fa 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1452,17 +1452,17 @@ static struct tevent_req *get_user_and_group_send(TALLOC_CTX *memctx,
     state->filter_type = filter_type;
     state->attrs_type = attrs_type;
 
-    subreq = users_get_send(req, state->ev, state->id_ctx,
-                            state->sdom, state->conn,
-                            state->filter_val, state->filter_type,
-                            state->attrs_type, NULL);
+    subreq = groups_get_send(req, state->ev, state->id_ctx,
+                             state->sdom, state->conn,
+                             state->filter_val, state->filter_type,
+                             state->attrs_type, state->noexist_delete);
     if (subreq == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, ("users_get_send failed.\n"));
         ret = ENOMEM;
         goto fail;
     }
 
-    tevent_req_set_callback(subreq, get_user_and_group_users_done, req);
+    tevent_req_set_callback(subreq, get_user_and_group_groups_done, req);
 
     return req;
 
@@ -1472,7 +1472,7 @@ fail:
     return req;
 }
 
-static void get_user_and_group_users_done(struct tevent_req *subreq)
+static void get_user_and_group_groups_done(struct tevent_req *subreq)
 {
     struct tevent_req *req = tevent_req_callback_data(subreq,
                                                       struct tevent_req);
@@ -1480,15 +1480,15 @@ static void get_user_and_group_users_done(struct tevent_req *subreq)
                                                struct get_user_and_group_state);
     int ret;
 
-    ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret);
+    ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret);
     talloc_zfree(subreq);
 
-    if (ret != EOK) {           /* Fatal error while looking up user */
+    if (ret != EOK) {           /* Fatal error while looking up group */
         tevent_req_error(req, ret);
         return;
     }
 
-    if (state->sdap_ret == EOK) {   /* Matching user found */
+    if (state->sdap_ret == EOK) {   /* Matching group found */
         tevent_req_done(req);
         return;
     } else if (state->sdap_ret != ENOENT) {
@@ -1497,22 +1497,21 @@ static void get_user_and_group_users_done(struct tevent_req *subreq)
     }
 
     /* Now the search finished fine but did not find an entry.
-     * Retry with groups. */
-
-    subreq = groups_get_send(req, state->ev, state->id_ctx,
-                             state->sdom, state->conn,
-                             state->filter_val, state->filter_type,
-                             state->attrs_type, state->noexist_delete);
+     * Retry with users. */
+    subreq = users_get_send(req, state->ev, state->id_ctx,
+                            state->sdom, state->conn,
+                            state->filter_val, state->filter_type,
+                            state->attrs_type, state->noexist_delete);
     if (subreq == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, ("groups_get_send failed.\n"));
         tevent_req_error(req, ENOMEM);
         return;
     }
 
-    tevent_req_set_callback(subreq, get_user_and_group_groups_done, req);
+    tevent_req_set_callback(subreq, get_user_and_group_users_done, req);
 }
 
-static void get_user_and_group_groups_done(struct tevent_req *subreq)
+static void get_user_and_group_users_done(struct tevent_req *subreq)
 {
     struct tevent_req *req = tevent_req_callback_data(subreq,
                                                       struct tevent_req);
@@ -1520,10 +1519,10 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
                                                struct get_user_and_group_state);
     int ret;
 
-    ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret);
+    ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret);
     talloc_zfree(subreq);
 
-    if (ret == EOK) { /* Matching group found */
+    if (ret == EOK) { /* Matching user found */
         tevent_req_done(req);
     } else {
         tevent_req_error(req, ret);
author	Jakub Hrozek <jhrozek@redhat.com>	2013-07-12 17:57:01 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-07-17 13:13:10 +0200
commit	1bb04648878b7b3e3897484e7cfc2d11725c8014 (patch)
tree	af8fa43bd0b320a77fe77ff54ad26b4be44ef8f5
parent	9c25d1420ddf482b01bdaba54a15bce8a6f32943 (diff)
download	sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.tar.gz sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.tar.xz sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.zip