Do not save HBAC rules in subdomain subtree

Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.

Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.

1 files changed, 0 insertions, 10 deletions

diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 5c97575fc..3a34864c4 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -85,16 +85,6 @@ void ipa_access_handler(struct be_req *be_req)
                               be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
                               struct ipa_access_ctx);
 
-    if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) {
-        be_req->domain = new_subdomain(be_req, be_req->be_ctx->domain, pd->domain, NULL, NULL);
-        if (be_req->domain == NULL) {
-            DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
-            be_req->fn(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL);
-            return;
-        }
-        be_req->sysdb = be_req->domain->sysdb;
-    }
-
     /* First, verify that this account isn't locked.
      * We need to do this in case the auth phase was
      * skipped (such as during GSSAPI single-sign-on