1 files changed, 36 insertions, 0 deletions

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 9afb9ff89..de4d44166 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1733,6 +1733,7 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
     struct gp_gpo **candidate_gpos = NULL;
     int num_candidate_gpos = 0;
     int i = 0;
+    const char **cse_filtered_gpo_guids;
 
     req = tevent_req_callback_data(subreq, struct tevent_req);
     state = tevent_req_data(req, struct ad_gpo_access_state);
@@ -1798,14 +1799,49 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
         goto done;
     }
 
+    /* we create and populate an array of applicable gpo-guids */
+    cse_filtered_gpo_guids =
+        talloc_array(state, const char *, state->num_cse_filtered_gpos);
+    if (cse_filtered_gpo_guids == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
     for (i = 0; i < state->num_cse_filtered_gpos; i++) {
         DEBUG(SSSDBG_TRACE_FUNC, "cse_filtered_gpos[%d]->gpo_guid is %s\n", i,
                                   state->cse_filtered_gpos[i]->gpo_guid);
+        cse_filtered_gpo_guids[i] = talloc_steal(cse_filtered_gpo_guids,
+                                                 state->cse_filtered_gpos[i]->gpo_guid);
+        if (cse_filtered_gpo_guids[i] == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
     }
 
     DEBUG(SSSDBG_TRACE_FUNC, "num_cse_filtered_gpos: %d\n",
           state->num_cse_filtered_gpos);
 
+    /*
+     * we now have the array of applicable gpos in hand; however, since we
+     * may have cached a larger set of gpo-guids previously, we delete
+     * all stale gpo cache entries (i.e. entries that have a gpo-guid that
+     * doesn't match any of the gpo-guids in the cse_filtered_gpo_guids list)
+     */
+    ret = sysdb_gpo_delete_stale_gpos(state, state->domain,
+                                      cse_filtered_gpo_guids,
+                                      state->num_cse_filtered_gpos);
+    if (ret != EOK) {
+        switch (ret) {
+        case ENOENT:
+            DEBUG(SSSDBG_OP_FAILURE, "No GPOs available in cache\n");
+        default:
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Could not delete stale GPOs from cache: [%s]\n",
+                  strerror(ret));
+            goto done;
+        }
+    }
+
     ret = ad_gpo_cse_step(req);
 
  done: