diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2010-11-03 09:00:12 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-11-03 09:44:26 -0400 |
commit | 91565f10d6567abd250a6d0ad4f278d33152a38c (patch) | |
tree | b8f811dbbf02c05152aae490ef81b952fa0f19b3 | |
parent | 76dab00cdac01e1202951511ad3ec27c21c257d7 (diff) | |
download | sssd2-91565f10d6567abd250a6d0ad4f278d33152a38c.tar.gz sssd2-91565f10d6567abd250a6d0ad4f278d33152a38c.tar.xz sssd2-91565f10d6567abd250a6d0ad4f278d33152a38c.zip |
Don't clean up groups for which a user has it as primary GID
We were cleaning up all groups that were expired and for which
there existed no user with memberOf: <thegroup> as an attribute.
This patch modifies the search to also check for cached users with
this group's GID as their primary GID.
Fixes https://fedorahosted.org/sssd/ticket/624
-rw-r--r-- | src/providers/ldap/ldap_id_cleanup.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c index bb7c0ea7..161b145f 100644 --- a/src/providers/ldap/ldap_id_cleanup.c +++ b/src/providers/ldap/ldap_id_cleanup.c @@ -525,7 +525,7 @@ static struct tevent_req *cleanup_groups_send(TALLOC_CTX *memctx, { struct tevent_req *req, *subreq; struct cleanup_groups_state *state; - static const char *attrs[] = { SYSDB_NAME, NULL }; + static const char *attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL }; time_t now = time(NULL); char *subfilter; @@ -598,6 +598,7 @@ static void cleanup_groups_check_users(struct tevent_req *req) struct tevent_req *subreq; const char *subfilter; const char *dn; + gid_t gid; dn = ldb_dn_get_linearized(state->msgs[state->cur]->dn); if (!dn) { @@ -605,8 +606,19 @@ static void cleanup_groups_check_users(struct tevent_req *req) return; } - subfilter = talloc_asprintf(state, "(%s=%s)", - SYSDB_MEMBEROF, dn); + gid = (gid_t) ldb_msg_find_attr_as_uint(state->msgs[state->cur], + SYSDB_GIDNUM, 0); + if (!gid) { + tevent_req_error(req, EIO); + return; + } + + /* Search for users that are members of this group, or + * that have this group as their primary GID + */ + subfilter = talloc_asprintf(state, "(|(%s=%s)(%s=%lu))", + SYSDB_MEMBEROF, dn, + SYSDB_GIDNUM, (unsigned long) gid); if (!subfilter) { DEBUG(2, ("Failed to build filter\n")); tevent_req_error(req, ENOMEM); |