diff options
Diffstat (limited to 'src/providers/ldap/sdap_async_initgroups_ad.c')
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups_ad.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 9915f1863..463d85065 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -1445,7 +1445,18 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, state->use_id_mapping = use_id_mapping; state->domain = domain; - if (state->use_id_mapping && !IS_SUBDOMAIN(state->domain)) { + /* We can compute the the gidNumber attribute from SIDs obtained from + * the tokenGroups lookup in case ID mapping is used for a user from the + * parent domain. For trusted domains, we need to know the group type + * to be able to filter out domain-local groups. Additionally, as a + * temporary workaround until https://fedorahosted.org/sssd/ticket/2656 + * is fixed, we also fetch the group object if group members are ignored + * to avoid having to transfer and retain members when the fake + * tokengroups object without name is replaced by the full group object + */ + if (state->use_id_mapping + && !IS_SUBDOMAIN(state->domain) + && state->domain->ignore_group_members == false) { subreq = sdap_ad_tokengroups_initgr_mapping_send(state, ev, opts, sysdb, domain, sh, name, orig_dn, @@ -1485,7 +1496,9 @@ static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq) req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct sdap_ad_tokengroups_initgroups_state); - if (state->use_id_mapping && !IS_SUBDOMAIN(state->domain)) { + if (state->use_id_mapping + && !IS_SUBDOMAIN(state->domain) + && state->domain->ignore_group_members == false) { ret = sdap_ad_tokengroups_initgr_mapping_recv(subreq); } else { ret = sdap_ad_tokengroups_initgr_posix_recv(subreq); |