IPA: resolve IPA group-memberships for AD users

So far only for initgroups requests the IPA group memberships where
resolved for AD users and due to
6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not
overridden by other request. But it turned out that the originalMemberOf
attributes related to the IPA group memberships can be overridden by
user lookups.  Since the originalMemberOf attribute is important in the
HBAC evaluation this patch makes sure that the originalMemberOf
attribute is not removed but updated during user lookups.

Related to https://fedorahosted.org/sssd/ticket/2560

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index 6feca44de..b9690bdb6 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -452,7 +452,8 @@ struct tevent_req *ipa_get_ad_memberships_send(TALLOC_CTX *mem_ctx,
     state->domain = domain;
     state->dp_error = -1;
 
-    if ((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
+    if (((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
+            && (ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_USER)
             || ar->filter_type != BE_FILTER_NAME) {
         DEBUG(SSSDBG_OP_FAILURE, "Unsupported request type.\n");
         ret = EINVAL;