diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2013-09-10 15:06:28 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-30 22:54:40 +0100 |
| commit | d1fd7269420dfdb46cf60e138af6ba051e5ef3bb (patch) | |
| tree | bd7c749fdbc11fe650035bca7c7e8f44c144a35e /src | |
| parent | 3d82882a2f0bc833278709b3c56d34337d151d58 (diff) | |
| download | sssd-d1fd7269420dfdb46cf60e138af6ba051e5ef3bb.tar.gz sssd-d1fd7269420dfdb46cf60e138af6ba051e5ef3bb.tar.xz sssd-d1fd7269420dfdb46cf60e138af6ba051e5ef3bb.zip | |
sdap_fill_memberships: pick correct domain for every member
Groups may contain members from different domains. We need
to make sure that we always choose correct domain for subdomain
users when looking up in sysdb.
Resolves:
https://fedorahosted.org/sssd/ticket/2064
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index c2a19faab..7a8f3e2a5 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -175,7 +175,8 @@ sdap_dn_by_primary_gid(TALLOC_CTX *mem_ctx, struct sysdb_attrs *ldap_attrs, return EOK; } -static int sdap_fill_memberships(struct sysdb_attrs *group_attrs, +static int sdap_fill_memberships(struct sdap_options *opts, + struct sysdb_attrs *group_attrs, struct sysdb_ctx *ctx, struct sss_domain_info *domain, hash_table_t *ghosts, @@ -190,6 +191,9 @@ static int sdap_fill_memberships(struct sysdb_attrs *group_attrs, errno_t hret; hash_key_t key; hash_value_t value; + struct sdap_domain *sdom; + struct sysdb_ctx *member_sysdb; + struct sss_domain_info *member_dom; ret = sysdb_attrs_get_el(group_attrs, SYSDB_MEMBER, &el); if (ret) { @@ -215,9 +219,20 @@ static int sdap_fill_memberships(struct sysdb_attrs *group_attrs, } if (hret == HASH_ERROR_KEY_NOT_FOUND) { + sdom = sdap_domain_get_by_dn(opts, (char *)values[i].data); + if (sdom == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Member [%s] is it out of domain " + "scope?\n", (char *)values[i].data)); + member_sysdb = ctx; + member_dom = domain; + } else { + member_sysdb = sdom->dom->sysdb; + member_dom = sdom->dom; + } + /* sync search entry with this as origDN */ - ret = sdap_find_entry_by_origDN(el->values, ctx, domain, - (char *)values[i].data, + ret = sdap_find_entry_by_origDN(el->values, member_sysdb, + member_dom, (char *)values[i].data, (char **)&el->values[j].data); if (ret == ENOENT) { /* member may be outside of the configured search bases @@ -720,7 +735,7 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, goto fail; } - ret = sdap_fill_memberships(group_attrs, ctx, dom, ghosts, + ret = sdap_fill_memberships(opts, group_attrs, ctx, dom, ghosts, el->values, el->num_values, userdns, nuserdns); if (ret) { |