diff options
author | Sumit Bose <sbose@redhat.com> | 2013-12-10 10:14:28 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 17:36:09 +0100 |
commit | b61518461e08ba0e33ffd6c0c47da709a5757658 (patch) | |
tree | b095f186cffac1873c0f305f63311cdcbf384fd9 /src/providers/ldap/sdap_async_initgroups_ad.c | |
parent | 4c106dc57de95ae1e9b41ec56f6c866d7098bbdf (diff) | |
download | sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.tar.gz sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.tar.xz sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.zip |
AD: filter domain local groups for trusted/sub domains
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
Diffstat (limited to 'src/providers/ldap/sdap_async_initgroups_ad.c')
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups_ad.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 8e0506831..f1bf77e86 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -1145,6 +1145,7 @@ static errno_t sdap_ad_tokengroups_initgr_posix_recv(struct tevent_req *req) struct sdap_ad_tokengroups_initgroups_state { bool use_id_mapping; + struct sss_domain_info *domain; }; static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq); @@ -1175,8 +1176,9 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, } state->use_id_mapping = use_id_mapping; + state->domain = domain; - if (state->use_id_mapping) { + if (state->use_id_mapping && !IS_SUBDOMAIN(state->domain)) { subreq = sdap_ad_tokengroups_initgr_mapping_send(state, ev, opts, sysdb, domain, sh, name, orig_dn, @@ -1216,7 +1218,7 @@ static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq) req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct sdap_ad_tokengroups_initgroups_state); - if (state->use_id_mapping) { + if (state->use_id_mapping && !IS_SUBDOMAIN(state->domain)) { ret = sdap_ad_tokengroups_initgr_mapping_recv(subreq); } else { ret = sdap_ad_tokengroups_initgr_posix_recv(subreq); |