From 7f59cc485c935bd3bca9900b03eb24e755f9bdfd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 28 Aug 2014 18:07:52 +0200
Subject: LDAP: Enable tokenGroups with Windows Server 2003
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

According to Microsoft documentation, the tokenGroups attribute is
available since Windows 2000:
http://msdn.microsoft.com/en-us/library/cc220937.aspx

We were not able to test against Windows 2000, though, as we don't have
that OS around, so this patch only changes the compatibility level to
2003.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5c2f2023696d1ff79c3c5d94b89e7ef9cd4159e9)
---
 src/providers/ldap/sdap_async_initgroups.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 712811f83..cab1a638f 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2924,7 +2924,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
             return;
         }
 
-        if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008
+        if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2003
             && dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) {
             /* Take advantage of AD's tokenGroups mechanism to look up all
              * parent groups in a single request.
@@ -3025,7 +3025,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
 
     case SDAP_SCHEMA_RFC2307BIS:
     case SDAP_SCHEMA_AD:
-        if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008
+        if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2003
             && dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) {
 
             ret = sdap_ad_tokengroups_initgroups_recv(subreq);
-- 
cgit