summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2013-10-29 15:20:10 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-10-29 16:02:59 +0100
commit970c5afba449a51dbccbdbf49e43ee5c79892e76 (patch)
tree7e78cd09d7f85e04263bdffdfefca4ceb786575a /src/providers
parent022ebf54037982211da729b99213bab7458ae827 (diff)
downloadsssd-970c5afba449a51dbccbdbf49e43ee5c79892e76.tar.gz
sssd-970c5afba449a51dbccbdbf49e43ee5c79892e76.tar.xz
sssd-970c5afba449a51dbccbdbf49e43ee5c79892e76.zip
sdap_save_group: try to determine domain by SID
GC contains objects from both parent domain and subdomain. Lets say we have group with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent group 5000' and this request goes through data provider, searching in parent domain first. Even though this group does not belong to this domain it is found and stored as ad.pb group. With this patch we look at group's SID and put it into correct domain.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ldap/sdap_async_groups.c25
1 files changed, 18 insertions, 7 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 00ac3e991..ccf716ec8 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -449,13 +449,6 @@ static int sdap_save_group(TALLOC_CTX *memctx,
goto done;
}
- ret = sdap_get_group_primary_name(tmpctx, opts, attrs, dom, &group_name);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("Failed to get group name\n"));
- goto done;
- }
- DEBUG(SSSDBG_TRACE_FUNC, ("Processing group %s\n", group_name));
-
/* Always store SID string if available */
ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs,
opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name,
@@ -477,6 +470,24 @@ static int sdap_save_group(TALLOC_CTX *memctx,
sid_str = NULL;
}
+ /* If this object has a SID available, we will determine the correct
+ * domain by its SID. */
+ if (sid_str != NULL) {
+ dom = find_subdomain_by_sid(get_domains_head(dom), sid_str);
+ if (dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("SID %s does not belong to any known "
+ "domain\n", sid_str));
+ return ERR_DOMAIN_NOT_FOUND;
+ }
+ }
+
+ ret = sdap_get_group_primary_name(tmpctx, opts, attrs, dom, &group_name);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Failed to get group name\n"));
+ goto done;
+ }
+ DEBUG(SSSDBG_TRACE_FUNC, ("Processing group %s\n", group_name));
+
use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx,
dom->name,
sid_str);