diff options
author | Sumit Bose <sbose@redhat.com> | 2013-12-09 11:45:28 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-18 15:33:12 +0100 |
commit | 0324d31d0479e5de0d3aac05bf5fb922d84f84c4 (patch) | |
tree | e35f2dd9fb5472b764ca8f350ddd9f82fb4b6074 /src/providers/ad/ad_id.c | |
parent | 81aa563090c33bafbf22f1cde586b77ed526c25f (diff) | |
download | sssd-0324d31d0479e5de0d3aac05bf5fb922d84f84c4.tar.gz sssd-0324d31d0479e5de0d3aac05bf5fb922d84f84c4.tar.xz sssd-0324d31d0479e5de0d3aac05bf5fb922d84f84c4.zip |
AD: use LDAP for group lookups
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
Diffstat (limited to 'src/providers/ad/ad_id.c')
-rw-r--r-- | src/providers/ad/ad_id.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index 87b69c668..dadb50da9 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -188,6 +188,8 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom, struct be_acct_req *ar) { struct sdap_id_conn_ctx **clist; + struct sdap_domain *sdom; + struct ad_id_ctx *subdom_id_ctx; /* LDAP, GC, sentinel */ clist = talloc_zero_array(breq, struct sdap_id_conn_ctx *, 3); @@ -197,8 +199,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, case BE_REQ_USER: /* user */ case BE_REQ_BY_SECID: /* by SID */ case BE_REQ_USER_AND_GROUP: /* get SID */ - case BE_REQ_GROUP: /* group */ - case BE_REQ_INITGROUPS: /* init groups for user */ /* Always try GC first */ clist[0] = ad_ctx->gc_ctx; if (IS_SUBDOMAIN(dom) == true) { @@ -216,6 +216,22 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, clist[1] = ad_ctx->ldap_ctx; break; + case BE_REQ_GROUP: /* group */ + case BE_REQ_INITGROUPS: /* init groups for user */ + if (IS_SUBDOMAIN(dom)) { + sdom = sdap_domain_get(ad_ctx->sdap_id_ctx->opts, dom); + if (sdom == NULL || sdom->pvt == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", + dom->name)); + return NULL; + } + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); + clist[0] = subdom_id_ctx->ldap_ctx; + } else { + clist[0] = ad_ctx->ldap_ctx; + } + break; + default: clist[0] = ad_ctx->ldap_ctx; break; |