summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-05-29 16:01:23 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-07 00:14:13 +0200
commitd27d7f2c270b69d0805633c4bedcf6d806acd5cd (patch)
tree1b62806ff69b94e1f753a3abd933858a307a08ec
parenta79c0a639c4ab26eacbc29f9f42bc95421e33f6e (diff)
downloadsssd-d27d7f2c270b69d0805633c4bedcf6d806acd5cd.tar.gz
sssd-d27d7f2c270b69d0805633c4bedcf6d806acd5cd.tar.xz
sssd-d27d7f2c270b69d0805633c4bedcf6d806acd5cd.zip
LDAP: Do not store separate GID for subdomain users
As the subdomains are MPG domains, we don't want to store a separate GID for the subdomain users, but rather just create a UPG.
-rw-r--r--src/providers/ldap/sdap_async_users.c28
1 files changed, 18 insertions, 10 deletions
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index e4d224cc8..a368965f6 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -267,13 +267,20 @@ int sdap_save_user(TALLOC_CTX *memctx,
}
if (use_id_mapping) {
- ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str,
- &gid);
- if (ret) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("Cannot get the GID for [%s] in domain [%s].\n",
- name, dom->name));
- goto done;
+ if (IS_SUBDOMAIN(dom) == false) {
+ ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str,
+ &gid);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Cannot get the GID for [%s] in domain [%s].\n",
+ name, dom->name));
+ goto done;
+ }
+ } else {
+ /* For subdomain users, only create the private group as
+ * the subdomain is an MPG domain
+ */
+ gid = 0;
}
/* Store the GID in the ldap_attrs so it doesn't get
@@ -294,9 +301,10 @@ int sdap_save_user(TALLOC_CTX *memctx,
}
/* check that the gid is valid for this domain */
- if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
- DEBUG(2, ("User [%s] filtered out! (primary gid out of range)\n",
- name));
+ if (IS_SUBDOMAIN(dom) == false &&
+ OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("User [%s] filtered out! (primary gid out of range)\n", name));
ret = EINVAL;
goto done;
}