diff options
author | Sumit Bose <sbose@redhat.com> | 2013-12-10 10:14:28 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 17:36:09 +0100 |
commit | b61518461e08ba0e33ffd6c0c47da709a5757658 (patch) | |
tree | b095f186cffac1873c0f305f63311cdcbf384fd9 /src/providers/ldap/sdap_async_nested_groups.c | |
parent | 4c106dc57de95ae1e9b41ec56f6c866d7098bbdf (diff) | |
download | sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.tar.gz sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.tar.xz sssd-b61518461e08ba0e33ffd6c0c47da709a5757658.zip |
AD: filter domain local groups for trusted/sub domains
In Active Directory groups with a domain local scope should only be used
inside of the specific domain. Since SSSD read the group memberships
from LDAP server of the user's domain the domain local groups are
included in the LDAP result. Those groups should be filtered out if the
domain is a sub/trusted domain, i.e. is not the domain the client
running SSSD is joined to.
The groups will still be in the cache but marked as non-POSIX groups and
no GID will be assigned.
Fixes https://fedorahosted.org/sssd/ticket/2178
Diffstat (limited to 'src/providers/ldap/sdap_async_nested_groups.c')
-rw-r--r-- | src/providers/ldap/sdap_async_nested_groups.c | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index c107b700b..f58564aec 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -239,15 +239,39 @@ sdap_nested_group_hash_group(struct sdap_nested_group_ctx *group_ctx, struct sdap_attr_map *map = group_ctx->opts->group_map; gid_t gid; errno_t ret; + int32_t ad_group_type; + bool posix_group = true; + + if (group_ctx->opts->schema_type == SDAP_SCHEMA_AD) { + ret = sysdb_attrs_get_int32_t(group, SYSDB_GROUP_TYPE, &ad_group_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_int32_t failed.\n")); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, ("AD group has type flags %#x.\n", + ad_group_type)); + /* Only security groups from AD are considered for POSIX groups. + * Additionally only global and universal group are taken to account + * for trusted domains. */ + if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) + || (IS_SUBDOMAIN(group_ctx->domain) + && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) + || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { + posix_group = false; + gid = 0; + DEBUG(SSSDBG_TRACE_FUNC, ("Filtering AD group.\n")); + } + } ret = sysdb_attrs_get_uint32_t(group, map[SDAP_AT_GROUP_GID].sys_name, &gid); - if (ret == ENOENT || (ret == EOK && gid == 0)) { + if (ret == ENOENT || (ret == EOK && gid == 0) || !posix_group) { DEBUG(SSSDBG_TRACE_ALL, ("The group's gid was %s\n", ret == ENOENT ? "missing" : "zero")); DEBUG(SSSDBG_TRACE_INTERNAL, ("Marking group as non-posix and setting GID=0!\n")); - if (ret == ENOENT) { + if (ret == ENOENT || !posix_group) { ret = sysdb_attrs_add_uint32(group, map[SDAP_AT_GROUP_GID].sys_name, 0); if (ret != EOK) { |