diff options
author | Michal Židek <mzidek@redhat.com> | 2017-04-28 20:49:56 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-05-04 16:11:05 +0200 |
commit | 21f3d6124ea28218d02e1e345d38e2b948e4ec23 (patch) | |
tree | 42b35d3a3593af876726c8d199d79df5427c8110 | |
parent | 92d8b072f8c521e1b4effe109b5caedabd36ed6f (diff) | |
download | sssd-21f3d6124ea28218d02e1e345d38e2b948e4ec23.tar.gz sssd-21f3d6124ea28218d02e1e345d38e2b948e4ec23.tar.xz sssd-21f3d6124ea28218d02e1e345d38e2b948e4ec23.zip |
SERVER_MODE: Update sdap lists for each ad_ctx
We use separate AD context for each subdomain in the server mode.
Every such context has it's own sdap_domain list witch represents
sdap options such as filter and search bases for every domain.
However AD context can only fully initialize sdap_domain structure
for the same domain for which the whole context was created, which
resulted in the other sdap_domain structures to be have automaticily
detected settings. This can cause problems if user is member of
groups from multiple domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3381
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/providers/ipa/ipa_subdomains_server.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c index b02ea67af..443d83824 100644 --- a/src/providers/ipa/ipa_subdomains_server.c +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -870,6 +870,7 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req) { struct tevent_req *subreq = NULL; struct ipa_ad_server_ctx *trust_iter; + struct ipa_ad_server_ctx *trust_i; struct ipa_server_create_trusts_state *state = NULL; state = tevent_req_data(req, struct ipa_server_create_trusts_state); @@ -900,6 +901,41 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req) } } + /* Refresh all sdap_dom lists in all ipa_ad_server_ctx contexts */ + DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) { + struct sdap_domain *sdom_a; + + sdom_a = sdap_domain_get(trust_iter->ad_id_ctx->sdap_id_ctx->opts, + trust_iter->dom); + if (sdom_a == NULL) { + continue; + } + + DLIST_FOR_EACH(trust_i, state->id_ctx->server_mode->trusts) { + struct sdap_domain *sdom_b; + + if (strcmp(trust_iter->dom->name, trust_i->dom->name) == 0) { + continue; + } + + sdom_b = sdap_domain_get(trust_i->ad_id_ctx->sdap_id_ctx->opts, + sdom_a->dom); + if (sdom_b == NULL) { + continue; + } + + /* Replace basedn and search bases from sdom_b with values + * from sdom_a */ + sdom_b->search_bases = sdom_a->search_bases; + sdom_b->user_search_bases = sdom_a->user_search_bases; + sdom_b->group_search_bases = sdom_a->group_search_bases; + sdom_b->netgroup_search_bases = sdom_a->netgroup_search_bases; + sdom_b->sudo_search_bases = sdom_a->sudo_search_bases; + sdom_b->service_search_bases = sdom_a->service_search_bases; + sdom_b->autofs_search_bases = sdom_a->autofs_search_bases; + } + } + return EOK; } |