diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-22 15:19:31 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-31 19:27:45 +0200 |
| commit | ee44aac95e42c3cb634876286a2aa4960ac69a2b (patch) | |
| tree | 7f6d2a4591acb372d153906454d4564807048247 /src/providers/proxy | |
| parent | fd3b0d8235322ada8f3b9b83b30ce57242ebf6cd (diff) | |
| download | sssd-ee44aac95e42c3cb634876286a2aa4960ac69a2b.tar.gz sssd-ee44aac95e42c3cb634876286a2aa4960ac69a2b.tar.xz sssd-ee44aac95e42c3cb634876286a2aa4960ac69a2b.zip | |
Download complete groups if ignore_group_members is set with tokengroups
Resolves:
https://fedorahosted.org/sssd/ticket/2644
When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.
Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.
This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656
To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
id_provider = ad
Then run:
$ id aduser@ad_domain.com
$ id aduser@ad_domain.com
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/proxy')
0 files changed, 0 insertions, 0 deletions