LDAP: Convert RFC2307 member attribute values to FQDN-style ghostnames before acting on them

Ghostnames must be qualified as well, same as all other name attributes
across SSSD. The ghost names are used by the NSS responder during getgr*
output and the domain name parsed from the name is used in the output.

1 files changed, 12 insertions, 2 deletions

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index d13863a1e..5edcd3af7 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1566,16 +1566,26 @@ sdap_process_group_members_2307(struct sdap_process_group_state *state,
                                 struct ldb_message_element *ghostel)
 {
     struct ldb_message *msg;
+    char *member_attr_val;
     char *member_name;
     char *userdn;
     int ret;
     int i;
 
     for (i=0; i < memberel->num_values; i++) {
-        member_name = (char *)memberel->values[i].data;
+        member_attr_val = (char *)memberel->values[i].data;
 
         /* We need to skip over zero-length usernames */
-        if (member_name[0] == '\0') continue;
+        if (member_attr_val[0] == '\0') continue;
+
+        /* RFC2307 stores members as plain usernames in the member attribute.
+         * Internally, we use fqdns in the cache..
+         */
+        member_name = sss_create_internal_fqname(state, member_attr_val,
+                                                 state->dom->name);
+        if (member_name == NULL) {
+            return ENOMEM;
+        }
 
         ret = sysdb_search_user_by_name(state, state->dom, member_name,
                                         NULL, &msg);