diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-05-21 09:30:13 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-06-02 18:54:32 +0200 |
commit | 4221bd76e2b631684f2dc7e8c625fd7b27947cf8 (patch) | |
tree | d97251c89e455a46ed869f8a4dfd98c9ab2cf7d3 /src/providers/ldap | |
parent | 98052f6f186f27a6fde4786274132a6bb4d69e79 (diff) | |
download | sssd-4221bd76e2b631684f2dc7e8c625fd7b27947cf8.tar.gz sssd-4221bd76e2b631684f2dc7e8c625fd7b27947cf8.tar.xz sssd-4221bd76e2b631684f2dc7e8c625fd7b27947cf8.zip |
SDAP: Add option to disable use of Token-Groups
Disabling use of Token-Groups is mandatory if expansion of nested groups is not
desired (ldap_group_nesting_level = 0) for AD provider.
Resolves:
https://fedorahosted.org/sssd/ticket/2294
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 69994add9cd4e57d40b3b7a0b1783ef2d0aa974c)
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_opts.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap.h | 1 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 7 |
3 files changed, 7 insertions, 2 deletions
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index d07051c51..5552c22cf 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -113,6 +113,7 @@ struct dp_option default_basic_opts[] = { { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE}, { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index f3f13e9c7..460f40056 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -225,6 +225,7 @@ enum sdap_basic_opt { SDAP_IDMAP_DEFAULT_DOMAIN_SID, SDAP_AD_MATCHING_RULE_GROUPS, SDAP_AD_MATCHING_RULE_INITGROUPS, + SDAP_AD_USE_TOKENGROUPS, SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS, SDAP_DISABLE_RANGE_RETRIEVAL, SDAP_MIN_ID, diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 90938ac02..b1dd2f514 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2922,7 +2922,8 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) return; } - if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) { + if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008 + && dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) { /* Take advantage of AD's tokenGroups mechanism to look up all * parent groups in a single request. */ @@ -3022,7 +3023,9 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) case SDAP_SCHEMA_RFC2307BIS: case SDAP_SCHEMA_AD: - if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) { + if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008 + && dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) { + ret = sdap_ad_tokengroups_initgroups_recv(subreq); } else if (state->opts->support_matching_rule |