diff options
author | Sumit Bose <sbose@redhat.com> | 2013-12-18 13:47:31 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 20:14:25 +0100 |
commit | 402af69c0bb7ea8b84e36f3567de6086042cb152 (patch) | |
tree | 17fe1acf01cb29403028935941d9caca66e2105a /src/providers/ad | |
parent | 8d55e0fffd29184d44cb49eaab2ca3a4226e0123 (diff) | |
download | sssd-402af69c0bb7ea8b84e36f3567de6086042cb152.tar.gz sssd-402af69c0bb7ea8b84e36f3567de6086042cb152.tar.xz sssd-402af69c0bb7ea8b84e36f3567de6086042cb152.zip |
AD: cross-domain membership fix
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
Diffstat (limited to 'src/providers/ad')
-rw-r--r-- | src/providers/ad/ad_id.c | 19 | ||||
-rw-r--r-- | src/providers/ad/ad_init.c | 2 |
2 files changed, 4 insertions, 17 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index 19bc65825..cf71b172d 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -199,6 +199,8 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, case BE_REQ_USER: /* user */ case BE_REQ_BY_SECID: /* by SID */ case BE_REQ_USER_AND_GROUP: /* get SID */ + case BE_REQ_GROUP: /* group */ + case BE_REQ_INITGROUPS: /* init groups for user */ /* Always try GC first */ clist[0] = ad_ctx->gc_ctx; if (IS_SUBDOMAIN(dom) == true) { @@ -215,23 +217,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx, */ clist[1] = ad_ctx->ldap_ctx; break; - - case BE_REQ_GROUP: /* group */ - case BE_REQ_INITGROUPS: /* init groups for user */ - if (IS_SUBDOMAIN(dom)) { - sdom = sdap_domain_get(ad_ctx->sdap_id_ctx->opts, dom); - if (sdom == NULL || sdom->pvt == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", - dom->name)); - return NULL; - } - subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); - clist[0] = subdom_id_ctx->ldap_ctx; - } else { - clist[0] = ad_ctx->ldap_ctx; - } - break; - default: clist[0] = ad_ctx->ldap_ctx; break; diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index d06efbd08..332bfda38 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -214,6 +214,8 @@ sssm_ad_id_init(struct be_ctx *bectx, goto done; } + ad_ctx->sdap_id_ctx->opts->sdom->pvt = ad_ctx; + /* Set up the ID mapping object */ ret = sdap_idmap_init(ad_ctx->sdap_id_ctx, ad_ctx->sdap_id_ctx, &ad_ctx->sdap_id_ctx->opts->idmap_ctx); |