diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-11-29 11:39:09 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 17:42:05 +0100 |
commit | d26b5b2526846f3c1d8ea54914bbea2cd0cb2826 (patch) | |
tree | 8e7a126b8b641a463de305bc78e0eeb9d48f1b7e /src/providers | |
parent | 97d3ef21d9f293f0b4bc0cc38b37f4e3d54d3572 (diff) | |
download | sssd-d26b5b2526846f3c1d8ea54914bbea2cd0cb2826.tar.gz sssd-d26b5b2526846f3c1d8ea54914bbea2cd0cb2826.tar.xz sssd-d26b5b2526846f3c1d8ea54914bbea2cd0cb2826.zip |
AD: Add a new option to turn off GC lookups
SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.
This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ad/ad_common.c | 31 | ||||
-rw-r--r-- | src/providers/ad/ad_common.h | 1 | ||||
-rw-r--r-- | src/providers/ad/ad_opts.h | 1 |
3 files changed, 20 insertions, 13 deletions
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index af0ec8399..a5ea4f587 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1125,26 +1125,31 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom) { struct sdap_id_conn_ctx **clist; + int cindex = 0; clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3); if (clist == NULL) return NULL; /* Always try GC first */ - clist[0] = ad_ctx->gc_ctx; - if (IS_SUBDOMAIN(dom) == true) { - clist[0]->ignore_mark_offline = false; - /* Subdomain users are only present in GC. */ - return clist; + if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) { + clist[cindex] = ad_ctx->gc_ctx; + if (IS_SUBDOMAIN(dom) == true) { + clist[cindex]->ignore_mark_offline = false; + /* Subdomain users are only present in GC. */ + return clist; + } + /* fall back to ldap if gc is not available */ + clist[cindex]->ignore_mark_offline = true; + cindex++; } - /* fall back to ldap if gc is not available */ - clist[0]->ignore_mark_offline = true; - - /* With root domain users we have the option to - * fall back to LDAP in case ie POSIX attributes - * are used but not replicated to GC - */ - clist[1] = ad_ctx->ldap_ctx; + if (IS_SUBDOMAIN(dom) == false) { + /* With root domain users we have the option to + * fall back to LDAP in case ie POSIX attributes + * are used but not replicated to GC + */ + clist[cindex] = ad_ctx->ldap_ctx; + } return clist; } diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index ed5b8584d..d370cef69 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -42,6 +42,7 @@ enum ad_basic_opt { AD_KRB5_REALM, AD_ENABLE_DNS_SITES, AD_ACCESS_FILTER, + AD_ENABLE_GC, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index c2a650b19..0deeec99a 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -36,6 +36,7 @@ struct dp_option ad_basic_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; |