diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-06-17 17:16:14 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-07-21 11:30:12 +0200 |
commit | b12e2500237f33c44807d7e5b377ec06007c7252 (patch) | |
tree | 8569539e1149889123202c594313d48ab611ef28 /src/providers/ldap/sdap_async_groups.c | |
parent | 32381402a4a9afc003782c9e2301fc59c9bda2a9 (diff) | |
download | sssd-b12e2500237f33c44807d7e5b377ec06007c7252.tar.gz sssd-b12e2500237f33c44807d7e5b377ec06007c7252.tar.xz sssd-b12e2500237f33c44807d7e5b377ec06007c7252.zip |
LDAP: tokengroups do not work with id_provider=ldap
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/ldap/sdap_async_groups.c')
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index ead5d4060..a21b0332e 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -513,7 +513,8 @@ static int sdap_save_group(TALLOC_CTX *memctx, /* If this object has a SID available, we will determine the correct * domain by its SID. */ if (sid_str != NULL) { - subdomain = find_subdomain_by_sid(get_domains_head(dom), sid_str); + subdomain = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom), + sid_str); if (subdomain) { dom = subdomain; } else { @@ -537,7 +538,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, goto done; } - DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.", + DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.\n", group_name, ad_group_type); /* Only security groups from AD are considered for POSIX groups. * Additionally only global and universal group are taken to account |