diff options
author | Pavel Březina <pbrezina@redhat.com> | 2013-09-11 14:01:31 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-30 22:54:40 +0100 |
commit | fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0 (patch) | |
tree | 470a24ecf01ab520603b9115e9abb1123202bbf1 /src/providers/ldap | |
parent | d1fd7269420dfdb46cf60e138af6ba051e5ef3bb (diff) | |
download | sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.tar.gz sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.tar.xz sssd-fc2dca9b7009885e1ceda8ab1df57c8e98f4f2b0.zip |
nested groups: pick correct domain for cache lookups
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/sdap_async_nested_groups.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c index 6e7056618..1860b98c3 100644 --- a/src/providers/ldap/sdap_async_nested_groups.c +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -328,11 +328,14 @@ done: } static errno_t -sdap_nested_group_check_cache(struct sss_domain_info *domain, +sdap_nested_group_check_cache(struct sdap_options *opts, + struct sss_domain_info *domain, const char *member_dn, enum sdap_nested_group_dn_type *_type) { TALLOC_CTX *tmp_ctx = NULL; + struct sdap_domain *sdap_domain = NULL; + struct sss_domain_info *member_domain = NULL; char *sanitized_dn = NULL; char *filter = NULL; errno_t ret; @@ -354,8 +357,12 @@ sdap_nested_group_check_cache(struct sss_domain_info *domain, goto done; } + /* determine correct domain of this member */ + sdap_domain = sdap_domain_get_by_dn(opts, member_dn); + member_domain = sdap_domain == NULL ? domain : sdap_domain->dom; + /* search in users */ - ret = sdap_nested_group_sysdb_search_users(domain, filter); + ret = sdap_nested_group_sysdb_search_users(member_domain, filter); if (ret == EOK || ret == EAGAIN) { /* user found */ *_type = SDAP_NESTED_GROUP_DN_USER; @@ -366,7 +373,7 @@ sdap_nested_group_check_cache(struct sss_domain_info *domain, } /* search in groups */ - ret = sdap_nested_group_sysdb_search_groups(domain, filter); + ret = sdap_nested_group_sysdb_search_groups(member_domain, filter); if (ret == EOK || ret == EAGAIN) { /* group found */ *_type = SDAP_NESTED_GROUP_DN_GROUP; @@ -453,7 +460,8 @@ sdap_nested_group_split_members(TALLOC_CTX *mem_ctx, } /* check sysdb */ - ret = sdap_nested_group_check_cache(group_ctx->domain, dn, &type); + ret = sdap_nested_group_check_cache(group_ctx->opts, group_ctx->domain, + dn, &type); if (ret == EOK) { /* found and valid */ DEBUG(SSSDBG_TRACE_ALL, ("[%s] found in cache, skipping\n", dn)); |