AD: Optimize initgroups lookups with tokenGroups

https://fedorahosted.org/sssd/ticket/1355
author: Stephen Gallagher <sgallagh@redhat.com> 2012-09-18 16:51:15 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2012-09-24 15:00:11 +0200
commit: d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a (patch)
tree: 445f1806f9f1344dfa3b4f05b5c9294cdc541696 /src/providers/ldap/sdap_async_initgroups.c
parent: e6ba224432bfcd64802222a3544bc38c179727cd (diff)
download: sssd-d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a.tar.gz
sssd-d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a.tar.xz
sssd-d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a.zip
1 files changed, 20 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index d55f661ff..71b4536b3 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2642,6 +2642,8 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
     const char *orig_dn;
     const char *cname;
     bool in_transaction = false;
+    bool use_id_mapping =
+            dp_opt_get_bool(state->opts->basic, SDAP_ID_MAPPING);
 
     DEBUG(9, ("Receiving info for the user\n"));
 
@@ -2731,9 +2733,17 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
             return;
         }
 
-        if (state->opts->support_matching_rule
-                && dp_opt_get_bool(state->opts->basic,
-                                   SDAP_AD_MATCHING_RULE_INITGROUPS)) {
+        if (use_id_mapping
+                && state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) {
+            /* Take advantage of AD's tokenGroups mechanism to look up all
+             * parent groups in a single request.
+             */
+            subreq = sdap_get_ad_tokengroups_initgroups_send(
+                    state, state->ev, state->opts, state->sysdb,
+                    state->sh, cname, orig_dn, state->timeout);
+        } else if (state->opts->support_matching_rule
+                    && dp_opt_get_bool(state->opts->basic,
+                                       SDAP_AD_MATCHING_RULE_INITGROUPS)) {
             /* Take advantage of AD's extensibleMatch filter to look up
              * all parent groups in a single request.
              */
@@ -2815,7 +2825,13 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
 
     case SDAP_SCHEMA_RFC2307BIS:
     case SDAP_SCHEMA_AD:
-        if (dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_INITGROUPS)) {
+        if (use_id_mapping
+                && state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) {
+            ret = sdap_get_ad_tokengroups_initgroups_recv(subreq);
+        }
+        else if (state->opts->support_matching_rule
+                && dp_opt_get_bool(state->opts->basic,
+                                   SDAP_AD_MATCHING_RULE_INITGROUPS)) {
             ret = sdap_get_ad_match_rule_initgroups_recv(subreq);
         } else {
             ret = sdap_initgr_rfc2307bis_recv(subreq);
author	Stephen Gallagher <sgallagh@redhat.com>	2012-09-18 16:51:15 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2012-09-24 15:00:11 +0200
commit	d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a (patch)
tree	445f1806f9f1344dfa3b4f05b5c9294cdc541696 /src/providers/ldap/sdap_async_initgroups.c
parent	e6ba224432bfcd64802222a3544bc38c179727cd (diff)
download	sssd-d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a.tar.gz sssd-d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a.tar.xz sssd-d0e0e73e86f2afdb7f8fefbed70fda8d77b1c25a.zip