UTIL: Inherit ignore_group_members

Resolves:
    https://fedorahosted.org/sssd/ticket/2644

Allows the administrators to extend ignore_group_members to subdomains
as well by setting:
    subdomain_inherit = ignore_group_members
in the domain section.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44)
(cherry picked from commit 27d8524cf635d61d93c71539709a30e1205dcaf1)

1 files changed, 9 insertions, 0 deletions

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 9fb2110eb..e2dec0435 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -206,6 +206,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
                                       const char *forest)
 {
     struct sss_domain_info *dom;
+    bool inherit_option;
 
     DEBUG(SSSDBG_TRACE_FUNC,
           "Creating [%s] as subdomain of [%s]!\n", name, parent->name);
@@ -281,6 +282,14 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
     dom->enumerate = enumerate;
     dom->fqnames = true;
     dom->mpg = mpg;
+    /* If the parent domain filters out group members, the subdomain should
+     * as well if configured */
+    inherit_option = string_in_list(CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS,
+                                    parent->sd_inherit, false);
+    if (inherit_option) {
+        dom->ignore_group_members = parent->ignore_group_members;
+    }
+
     /* If the parent domain explicitly limits ID ranges, the subdomain
      * should honour the limits as well.
      */