Don't clean up groups for which a user has it as primary GID

We were cleaning up all groups that were expired and for which
there existed no user with memberOf: <thegroup> as an attribute.

This patch modifies the search to also check for cached users with
this group's GID as their primary GID.

Fixes https://fedorahosted.org/sssd/ticket/624

1 files changed, 15 insertions, 3 deletions

diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
index bb7c0ea7..161b145f 100644
--- a/src/providers/ldap/ldap_id_cleanup.c
+++ b/src/providers/ldap/ldap_id_cleanup.c
@@ -525,7 +525,7 @@ static struct tevent_req *cleanup_groups_send(TALLOC_CTX *memctx,
 {
     struct tevent_req *req, *subreq;
     struct cleanup_groups_state *state;
-    static const char *attrs[] = { SYSDB_NAME, NULL };
+    static const char *attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL };
     time_t now = time(NULL);
     char *subfilter;
 
@@ -598,6 +598,7 @@ static void cleanup_groups_check_users(struct tevent_req *req)
     struct tevent_req *subreq;
     const char *subfilter;
     const char *dn;
+    gid_t gid;
 
     dn = ldb_dn_get_linearized(state->msgs[state->cur]->dn);
     if (!dn) {
@@ -605,8 +606,19 @@ static void cleanup_groups_check_users(struct tevent_req *req)
         return;
     }
 
-    subfilter = talloc_asprintf(state, "(%s=%s)",
-                                SYSDB_MEMBEROF, dn);
+    gid = (gid_t) ldb_msg_find_attr_as_uint(state->msgs[state->cur],
+                                            SYSDB_GIDNUM, 0);
+    if (!gid) {
+        tevent_req_error(req, EIO);
+        return;
+    }
+
+    /* Search for users that are members of this group, or
+     * that have this group as their primary GID
+     */
+    subfilter = talloc_asprintf(state, "(|(%s=%s)(%s=%lu))",
+                                SYSDB_MEMBEROF, dn,
+                                SYSDB_GIDNUM, (unsigned long) gid);
     if (!subfilter) {
         DEBUG(2, ("Failed to build filter\n"));
         tevent_req_error(req, ENOMEM);