diff options
author | Sumit Bose <sbose@redhat.com> | 2015-04-28 17:18:48 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-05 16:02:30 +0200 |
commit | e87badc0f6fb20a443cf12bde9582ecbc2aef727 (patch) | |
tree | 2b9addd71f81b414f9f3493b7a96d0d03da6afca /src/providers/ipa/ipa_subdomains_id.c | |
parent | 56552c518a07b45b25d4a2ef58d37fac0918ce60 (diff) | |
download | sssd-e87badc0f6fb20a443cf12bde9582ecbc2aef727.tar.gz sssd-e87badc0f6fb20a443cf12bde9582ecbc2aef727.tar.xz sssd-e87badc0f6fb20a443cf12bde9582ecbc2aef727.zip |
IPA: do initgroups if extdom exop supports it
Newer versions of the extdom plugin return the full list of
group-memberships during a user lookup request. With these version there
is no need to reject a initgroups request for sub/trusted-domain users
anymore. This is e.g. useful for callers which call getgrouplist()
directly without calling getpwnam() before. Additionally it helps if for
some reasons the lifetime of the user entry and the lifetime of the
initgroups data is different.
Related to https://fedorahosted.org/sssd/ticket/2633
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/ipa/ipa_subdomains_id.c')
-rw-r--r-- | src/providers/ipa/ipa_subdomains_id.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 15776d2e1..1253510dc 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -386,14 +386,8 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx, case BE_REQ_GROUP: case BE_REQ_BY_SECID: case BE_REQ_USER_AND_GROUP: - ret = EOK; - break; case BE_REQ_INITGROUPS: - ret = ENOTSUP; - DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \ - "by the IPA provider but are resolved " \ - "by the responder directly from the " \ - "cache.\n"); + ret = EOK; break; default: ret = EINVAL; @@ -434,6 +428,22 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq) return; } + if (state->entry_type == BE_REQ_INITGROUPS) { + /* With V1 of the extdom plugin a user lookup will resolve the full + * group membership of the user. */ + if (sdap_is_extension_supported(sdap_id_op_handle(state->op), + EXOP_SID2NAME_V1_OID)) { + state->entry_type = BE_REQ_USER; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \ + "by the IPA provider but are resolved " \ + "by the responder directly from the " \ + "cache.\n"); + tevent_req_error(req, ENOTSUP); + return; + } + } + req_input = talloc(state, struct req_input); if (req_input == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); |