diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-06-17 17:16:14 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-07-21 11:48:53 +0200 |
commit | deb0cc874606db31f454531c03d381fe0de76bd6 (patch) | |
tree | 1e8b27458d1936edb10905914c9eda2ff4ab7a41 /src/providers/ldap/sdap_async_groups.c | |
parent | 80af7e9daed52b283af037864bcdd86d96695618 (diff) | |
download | sssd-deb0cc874606db31f454531c03d381fe0de76bd6.tar.gz sssd-deb0cc874606db31f454531c03d381fe0de76bd6.tar.xz sssd-deb0cc874606db31f454531c03d381fe0de76bd6.zip |
LDAP: tokengroups do not work with id_provider=ldap
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
Diffstat (limited to 'src/providers/ldap/sdap_async_groups.c')
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 2f568c472..6f3c8b8eb 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -515,7 +515,8 @@ static int sdap_save_group(TALLOC_CTX *memctx, /* If this object has a SID available, we will determine the correct * domain by its SID. */ if (sid_str != NULL) { - subdomain = find_subdomain_by_sid(get_domains_head(dom), sid_str); + subdomain = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom), + sid_str); if (subdomain) { dom = subdomain; } else { @@ -539,7 +540,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, goto done; } - DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.", + DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.\n", group_name, ad_group_type); /* Only security groups from AD are considered for POSIX groups. * Additionally only global and universal group are taken to account |