LDAP: Only convert direct parents' ghost attribute to member

https://fedorahosted.org/sssd/ticket/1612

This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.

As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.

The original member attributes are only saved if the LDAP schema
supports nesting.

2 files changed, 3 insertions, 2 deletions

diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
index 8eaf95936..5aff1ede7 100644
--- a/src/tools/sss_seed.c
+++ b/src/tools/sss_seed.c
@@ -740,7 +740,7 @@ static int seed_cache_user(struct seed_ctx *sctx)
         ret = sysdb_add_user(sctx->sysdb, sctx->uctx->name,
                              sctx->uctx->uid, sctx->uctx->gid,
                              sctx->uctx->gecos, sctx->uctx->home,
-                             sctx->uctx->shell, NULL, 0, 0);
+                             sctx->uctx->shell, NULL, NULL, 0, 0);
         if (ret != EOK) {
             DEBUG(SSSDBG_OP_FAILURE,
                   ("Failed to add user to the cache. (%d)[%s]\n",
diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c
index 7183eb3e6..10a1a127a 100644
--- a/src/tools/sss_sync_ops.c
+++ b/src/tools/sss_sync_ops.c
@@ -467,7 +467,8 @@ int useradd(TALLOC_CTX *mem_ctx,
     int ret;
 
     ret = sysdb_add_user(sysdb, data->name, data->uid, data->gid,
-                         data->gecos, data->home, data->shell, NULL, 0, 0);
+                         data->gecos, data->home, data->shell,
+                         NULL, NULL, 0, 0);
     if (ret) {
         goto done;
     }