diff options
author | Sumit Bose <sbose@redhat.com> | 2015-01-23 14:39:07 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-23 21:51:56 +0100 |
commit | 20f4640cd4dbec3a91b615611a4adc418ffae91c (patch) | |
tree | fe644ede6037248b2ef182fabdbb1fb37e533e6a /src/db | |
parent | 97c0a591a1e09be520a6faaf51a4ba72d76f0c24 (diff) | |
download | sssd-20f4640cd4dbec3a91b615611a4adc418ffae91c.tar.gz sssd-20f4640cd4dbec3a91b615611a4adc418ffae91c.tar.xz sssd-20f4640cd4dbec3a91b615611a4adc418ffae91c.zip |
sysdb: remove ghosts in all sub-domains as well
If a user is a member is a group in a different sub-domain, e.g with
universal groups in AD, the ghost attribute might not be properly
removed from the group object if the user is resolved. The reason is
that only groups from the domain of the user were search for ghost
attributes. This patch increases the search-base to all sub-domains of
the configured SSSD domain.
Resolves https://fedorahosted.org/sssd/ticket/2567
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit fc2146c108e28d50bbf691925cedf9592142dd14)
Diffstat (limited to 'src/db')
-rw-r--r-- | src/db/sysdb_ops.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index b12540b68..0c254d8cd 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -1219,8 +1219,9 @@ sysdb_remove_ghostattr_from_groups(struct sss_domain_info *domain, ERROR_OUT(ret, EINVAL, done); } - tmpdn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, - SYSDB_TMPL_GROUP_BASE, domain->name); + /* To cover cross-domain group-membership we must search in all + * sub-domains. */ + tmpdn = ldb_dn_new(tmp_ctx, domain->sysdb->ldb, SYSDB_BASE); if (!tmpdn) { ret = ENOMEM; goto done; |