diff options
| -rw-r--r-- | src/config/etc/sssd.api.d/sssd-ad.conf | 1 | ||||
| -rw-r--r-- | src/man/sssd-ad.5.xml | 17 | ||||
| -rw-r--r-- | src/providers/ad/ad_common.c | 31 | ||||
| -rw-r--r-- | src/providers/ad/ad_common.h | 1 | ||||
| -rw-r--r-- | src/providers/ad/ad_opts.h | 1 | ||||
| -rw-r--r-- | src/tests/cmocka/test_ad_common.c | 20 |
6 files changed, 58 insertions, 13 deletions
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index cea28a18c..6b136f2ec 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -5,6 +5,7 @@ ad_backup_server = str, None, false ad_hostname = str, None, false ad_enable_dns_sites = bool, None, false ad_access_filter = str, None, false +ad_enable_gc = bool, None, false ldap_uri = str, None, false ldap_backup_uri = str, None, false ldap_search_base = str, None, false diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index e31f87a96..38cc31278 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -228,6 +228,23 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) </varlistentry> <varlistentry> + <term>ad_enable_gc (boolean)</term> + <listitem> + <para> + By default, the SSSD connects to the Global + Catalog first to retrieve users and uses the + LDAP port to retrieve group memberships or + as a fallback. Disabling this option makes + the SSSD only connect to the LDAP port of the + current AD server. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>dyndns_update (boolean)</term> <listitem> <para> diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index af0ec8399..a5ea4f587 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1125,26 +1125,31 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom) { struct sdap_id_conn_ctx **clist; + int cindex = 0; clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3); if (clist == NULL) return NULL; /* Always try GC first */ - clist[0] = ad_ctx->gc_ctx; - if (IS_SUBDOMAIN(dom) == true) { - clist[0]->ignore_mark_offline = false; - /* Subdomain users are only present in GC. */ - return clist; + if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) { + clist[cindex] = ad_ctx->gc_ctx; + if (IS_SUBDOMAIN(dom) == true) { + clist[cindex]->ignore_mark_offline = false; + /* Subdomain users are only present in GC. */ + return clist; + } + /* fall back to ldap if gc is not available */ + clist[cindex]->ignore_mark_offline = true; + cindex++; } - /* fall back to ldap if gc is not available */ - clist[0]->ignore_mark_offline = true; - - /* With root domain users we have the option to - * fall back to LDAP in case ie POSIX attributes - * are used but not replicated to GC - */ - clist[1] = ad_ctx->ldap_ctx; + if (IS_SUBDOMAIN(dom) == false) { + /* With root domain users we have the option to + * fall back to LDAP in case ie POSIX attributes + * are used but not replicated to GC + */ + clist[cindex] = ad_ctx->ldap_ctx; + } return clist; } diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index ed5b8584d..d370cef69 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -42,6 +42,7 @@ enum ad_basic_opt { AD_KRB5_REALM, AD_ENABLE_DNS_SITES, AD_ACCESS_FILTER, + AD_ENABLE_GC, AD_OPTS_BASIC /* opts counter */ }; diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h index c2a650b19..0deeec99a 100644 --- a/src/providers/ad/ad_opts.h +++ b/src/providers/ad/ad_opts.h @@ -36,6 +36,7 @@ struct dp_option ad_basic_opts[] = { { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, DP_OPTION_TERMINATOR }; diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c index 648b68f2d..07502b82d 100644 --- a/src/tests/cmocka/test_ad_common.c +++ b/src/tests/cmocka/test_ad_common.c @@ -159,6 +159,8 @@ void test_conn_list(void **state) struct ad_common_test_ctx); assert_non_null(test_ctx); + assert_true(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic, + AD_ENABLE_GC)); conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom); assert_non_null(conn_list); @@ -177,6 +179,24 @@ void test_conn_list(void **state) assert_false(conn_list[0]->ignore_mark_offline); assert_null(conn_list[1]); talloc_free(conn_list); + + dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false); + assert_false(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic, + AD_ENABLE_GC)); + + conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx); + assert_false(conn_list[0]->ignore_mark_offline); + assert_null(conn_list[1]); + talloc_free(conn_list); + + conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom); + assert_non_null(conn_list); + + assert_null(conn_list[0]); + talloc_free(conn_list); } int main(int argc, const char *argv[]) |