diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-12-09 11:45:28 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-13 10:56:47 +0100 |
| commit | cab9dae09da698f926839380a678c7f02485ae66 (patch) | |
| tree | 3c2a3e1cd0929a7259f20ca666b9fdaab4fe5de2 /src/providers/ldap | |
| parent | 2b55e3939853c3ced7979ccceb1cfbd7f5e7b896 (diff) | |
| download | sssd-cab9dae09da698f926839380a678c7f02485ae66.tar.gz sssd-cab9dae09da698f926839380a678c7f02485ae66.tar.xz sssd-cab9dae09da698f926839380a678c7f02485ae66.zip | |
AD: use LDAP for group lookups
The group memberships cannot be reliable retrieved from the Global
Catalog. By default the memberOf attribute is not replicated to the GC
at all and the member attribute is copied from the local LDAP instance
to the GC running on the same host, but is only replicated to other GC
instances for groups with universal scope. Additionally the tokenGroups
attribute contains invalid SIDs when used with the GC for users from a
different domains than the GC belongs to.
As a result the requests which tries to resolve group-memberships of a
AD user have to go to a LDAP server from the domain of the user.
Fixes https://fedorahosted.org/sssd/ticket/2161 and
https://fedorahosted.org/sssd/ticket/2148 as a side-effect.
Diffstat (limited to 'src/providers/ldap')
| -rw-r--r-- | src/providers/ldap/sdap.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index c53471b9b..fa641730b 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -394,6 +394,8 @@ struct sdap_domain { struct timeval last_enum; /* cleanup loop timer */ struct timeval last_purge; + + void *pvt; }; struct sdap_options { |