diff options
author | Sumit Bose <sbose@redhat.com> | 2015-04-22 16:57:37 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-29 11:33:22 +0200 |
commit | f70a1adbfc30b9acc302027439fb8157e0c6ea2a (patch) | |
tree | b65879cc54087e6e7fcc5aea4e2b86a4de3d1683 /src/providers/ipa | |
parent | 82a958e6592c4a4078e45b7197bbe4751b70f511 (diff) | |
download | sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.gz sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.xz sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.zip |
IPA: allow initgroups by SID for AD users
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name. With this patch a SID can be used as well.
Resolves https://fedorahosted.org/sssd/ticket/2632
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/ipa')
-rw-r--r-- | src/providers/ipa/ipa_subdomains_id.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 0508e14b6..15776d2e1 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -201,6 +201,7 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq) } if (state->override_attrs != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Processing override.\n"); ret = sysdb_attrs_get_string(state->override_attrs, SYSDB_OVERRIDE_ANCHOR_UUID, &anchor); @@ -219,6 +220,16 @@ static void ipa_subdomain_account_got_override(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n"); goto fail; } + + if (state->ipa_server_mode + && (state->ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_INITGROUPS) { + DEBUG(SSSDBG_TRACE_ALL, + "Switching back to BE_REQ_INITGROUPS.\n"); + ar->entry_type = BE_REQ_INITGROUPS; + ar->filter_type = BE_FILTER_SECID; + ar->attr_type = BE_ATTR_CORE; + } } else { DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported override anchor type [%s].\n", anchor); @@ -1125,6 +1136,8 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) /* Replace ID with name in search filter */ if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM) + || (entry_type == BE_REQ_INITGROUPS + && state->ar->filter_type == BE_FILTER_SECID) || entry_type == BE_REQ_BY_SECID) { if (state->obj_msg == NULL) { ret = get_object_from_cache(state, state->obj_dom, state->ar, |