diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-12-10 10:14:28 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 17:36:09 +0100 |
| commit | b61518461e08ba0e33ffd6c0c47da709a5757658 (patch) | |
| tree | b095f186cffac1873c0f305f63311cdcbf384fd9 /src/providers/ldap/sdap.h | |
| parent | 4c106dc57de95ae1e9b41ec56f6c866d7098bbdf (diff) | |
| download | sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.tar.gz sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.tar.xz sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.zip | |
AD: filter domain local groups for trusted/sub domains
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
Diffstat (limited to 'src/providers/ldap/sdap.h')
| -rw-r--r-- | src/providers/ldap/sdap.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index b42bb541a..d408be0a6 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -137,6 +137,14 @@ struct sdap_ppolicy_data { #define SDAP_AD_USN "uSNChanged" #define SDAP_AD_LAST_USN "highestCommittedUSN" +#define SDAP_AD_GROUP_TYPE_BUILTIN 0x00000001 +#define SDAP_AD_GROUP_TYPE_GLOBAL 0x00000002 +#define SDAP_AD_GROUP_TYPE_DOMAIN_LOCAL 0x00000004 +#define SDAP_AD_GROUP_TYPE_UNIVERSAL 0x00000008 +#define SDAP_AD_GROUP_TYPE_APP_BASIC 0x00000010 +#define SDAP_AD_GROUP_TYPE_APP_QUERY 0x00000020 +#define SDAP_AD_GROUP_TYPE_SECURITY 0x80000000 + enum sdap_basic_opt { SDAP_URI = 0, SDAP_BACKUP_URI, |