From 3eea4ba04c6dea6cd61c38a31f981c4677b1726c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 18 Aug 2015 18:31:57 +0200
Subject: IPA: Save groups as non-expired with ignore_group_members

---
 src/providers/ldap/sdap_async.h            | 11 +++++++++++
 src/providers/ldap/sdap_async_groups.c     |  2 +-
 src/providers/ldap/sdap_async_initgroups.c | 26 ++++++++++++++++++++------
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 09bc0d654..4ead70670 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -94,6 +94,17 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
 int sdap_get_users_recv(struct tevent_req *req,
                         TALLOC_CTX *mem_ctx, char **timestamp);
 
+int sdap_save_groups(TALLOC_CTX *memctx,
+                            struct sysdb_ctx *sysdb,
+                            struct sss_domain_info *dom,
+                            struct sdap_options *opts,
+                            struct sysdb_attrs **groups,
+                            int num_groups,
+                            bool populate_members,
+                            hash_table_t *ghosts,
+                            bool save_orig_member,
+                            char **_usn_value);
+
 struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
                                        struct tevent_context *ev,
                                        struct sdap_domain *sdom,
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 525c6fa09..b25bdb45b 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -971,7 +971,7 @@ fail:
 
 /* ==Generic-Function-to-save-multiple-groups============================= */
 
-static int sdap_save_groups(TALLOC_CTX *memctx,
+int sdap_save_groups(TALLOC_CTX *memctx,
                             struct sysdb_ctx *sysdb,
                             struct sss_domain_info *dom,
                             struct sdap_options *opts,
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index ffb8f7e1f..1f06e01d9 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -647,12 +647,26 @@ sdap_nested_groups_store(struct sysdb_ctx *sysdb,
     }
     in_transaction = true;
 
-    ret = sdap_add_incomplete_groups(sysdb, domain, opts, groupnamelist,
-                                     groups, count);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_TRACE_FUNC, "Could not add incomplete groups [%d]: %s\n",
-                   ret, strerror(ret));
-        goto done;
+    if (domain->ignore_group_members == true && opts->schema_type == SDAP_SCHEMA_IPA_V1) {
+        /* If groupmembers are ignored, there's no point in saving the groups
+         * as incomplete, at least not for the IPA schema. We're able to dereference
+         * the objects, so let's be done with it
+         */
+        ret = sdap_save_groups(tmp_ctx, sysdb, domain, opts,
+                               groups, count, false, NULL, true,
+                               NULL);
+        if (ret != EOK) {
+            goto done;
+        }
+    } else {
+        ret = sdap_add_incomplete_groups(sysdb, domain, opts, groupnamelist,
+                                         groups, count);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_TRACE_FUNC,
+                  "Could not add incomplete groups [%d]: %s\n",
+                  ret, strerror(ret));
+            goto done;
+        }
     }
 
     ret = sysdb_transaction_commit(sysdb);
-- 
cgit