From 756a944b898e55a83c212999b31ba6550af4b1ce Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 9 Sep 2014 22:13:52 +0200 Subject: IPA: Use GC for group lookups in server mode https://fedorahosted.org/sssd/ticket/2412 Even though AD trusts often work with POSIX attributes which are normally not replicated to GC, our group lookups are smart since commit 008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using the LDAP connection and only use the GC connection to look up the members. Reviewed-by: Pavel Reichl (cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f) --- src/providers/ipa/ipa_subdomains_id.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 5517602a6..9a90bc2d6 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx, } sdap_id_ctx = ad_id_ctx->sdap_id_ctx; - /* Currently only LDAP port for AD is used because POSIX - * attributes are not replicated to GC by default + /* We read users and groups from GC. From groups, we may switch to + * using LDAP connection in the group request itself, but in order + * to resolve Universal group memberships, we also need the GC + * connection */ - - if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) { + switch (state->ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_INITGROUPS: + case BE_REQ_GROUP: clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom); if (clist == NULL) { ret = ENOMEM; goto fail; } - } else { + break; + default: clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2); if (clist == NULL) { ret = ENOMEM; -- cgit