summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2013-09-10 15:06:28 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-10-30 22:54:40 +0100
commitd1fd7269420dfdb46cf60e138af6ba051e5ef3bb (patch)
treebd7c749fdbc11fe650035bca7c7e8f44c144a35e /src/providers
parent3d82882a2f0bc833278709b3c56d34337d151d58 (diff)
downloadsssd-d1fd7269420dfdb46cf60e138af6ba051e5ef3bb.tar.gz
sssd-d1fd7269420dfdb46cf60e138af6ba051e5ef3bb.tar.xz
sssd-d1fd7269420dfdb46cf60e138af6ba051e5ef3bb.zip
sdap_fill_memberships: pick correct domain for every member
Groups may contain members from different domains. We need to make sure that we always choose correct domain for subdomain users when looking up in sysdb. Resolves: https://fedorahosted.org/sssd/ticket/2064
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ldap/sdap_async_groups.c23
1 files changed, 19 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index c2a19faab..7a8f3e2a5 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -175,7 +175,8 @@ sdap_dn_by_primary_gid(TALLOC_CTX *mem_ctx, struct sysdb_attrs *ldap_attrs,
return EOK;
}
-static int sdap_fill_memberships(struct sysdb_attrs *group_attrs,
+static int sdap_fill_memberships(struct sdap_options *opts,
+ struct sysdb_attrs *group_attrs,
struct sysdb_ctx *ctx,
struct sss_domain_info *domain,
hash_table_t *ghosts,
@@ -190,6 +191,9 @@ static int sdap_fill_memberships(struct sysdb_attrs *group_attrs,
errno_t hret;
hash_key_t key;
hash_value_t value;
+ struct sdap_domain *sdom;
+ struct sysdb_ctx *member_sysdb;
+ struct sss_domain_info *member_dom;
ret = sysdb_attrs_get_el(group_attrs, SYSDB_MEMBER, &el);
if (ret) {
@@ -215,9 +219,20 @@ static int sdap_fill_memberships(struct sysdb_attrs *group_attrs,
}
if (hret == HASH_ERROR_KEY_NOT_FOUND) {
+ sdom = sdap_domain_get_by_dn(opts, (char *)values[i].data);
+ if (sdom == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Member [%s] is it out of domain "
+ "scope?\n", (char *)values[i].data));
+ member_sysdb = ctx;
+ member_dom = domain;
+ } else {
+ member_sysdb = sdom->dom->sysdb;
+ member_dom = sdom->dom;
+ }
+
/* sync search entry with this as origDN */
- ret = sdap_find_entry_by_origDN(el->values, ctx, domain,
- (char *)values[i].data,
+ ret = sdap_find_entry_by_origDN(el->values, member_sysdb,
+ member_dom, (char *)values[i].data,
(char **)&el->values[j].data);
if (ret == ENOENT) {
/* member may be outside of the configured search bases
@@ -720,7 +735,7 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
goto fail;
}
- ret = sdap_fill_memberships(group_attrs, ctx, dom, ghosts,
+ ret = sdap_fill_memberships(opts, group_attrs, ctx, dom, ghosts,
el->values, el->num_values,
userdns, nuserdns);
if (ret) {