2 files changed, 71 insertions, 5 deletions

diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index 89c55fc95..17bd5779e 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -357,11 +357,13 @@ static enum idmap_error_code dom_check_collision(
         /* TODO: if both ranges have the same ID check if an update is
          * needed. */
 
-        /* check if ID ranges overlap */
-        if ((new_dom->range->min >= dom->range->min
-                && new_dom->range->min <= dom->range->max)
-            || (new_dom->range->max >= dom->range->min
-                && new_dom->range->max <= dom->range->max)) {
+        /* Check if ID ranges overlap.
+         * ID ranges with external mapping may overlap. */
+        if ((!new_dom->external_mapping && !dom->external_mapping)
+            && ((new_dom->range->min >= dom->range->min
+                    && new_dom->range->min <= dom->range->max)
+                || (new_dom->range->max >= dom->range->min
+                    && new_dom->range->max <= dom->range->max))) {
             return IDMAP_COLLISION;
         }
 
diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c
index eb204137a..65e61351d 100644
--- a/src/tests/sss_idmap-tests.c
+++ b/src/tests/sss_idmap-tests.c
@@ -29,6 +29,9 @@
 #define IDMAP_RANGE_MIN 1234
 #define IDMAP_RANGE_MAX 9876
 
+#define IDMAP_RANGE_MIN2 11234
+#define IDMAP_RANGE_MAX2 19876
+
 const char test_sid[] = "S-1-5-21-2127521184-1604012920-1887927527-72713";
 uint8_t test_bin_sid[] = {0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15,
                           0x00, 0x00, 0x00, 0xA0, 0x65, 0xCF, 0x7E, 0x78, 0x4B,
@@ -142,6 +145,65 @@ START_TEST(idmap_test_add_domain)
 }
 END_TEST
 
+START_TEST(idmap_test_add_domain_collisions)
+{
+    enum idmap_error_code err;
+    struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX};
+    struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2};
+
+    err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", &range);
+    fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed.");
+
+    err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-4",
+                               &range2);
+    fail_unless(err == IDMAP_COLLISION,
+                "sss_idmap_add_domain added domain with the same name.");
+
+    err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3",
+                               &range2);
+    fail_unless(err == IDMAP_COLLISION,
+                "sss_idmap_add_domain added domain with the same SID.");
+
+    err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4",
+                               &range);
+    fail_unless(err == IDMAP_COLLISION,
+                "sss_idmap_add_domain added domain with the same range.");
+
+    err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4",
+                               &range2);
+    fail_unless(err == IDMAP_SUCCESS,
+                "sss_idmap_add_domain failed to add second domain.");
+}
+END_TEST
+
+START_TEST(idmap_test_add_domain_collisions_ext_mapping)
+{
+    enum idmap_error_code err;
+    struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX};
+    struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2};
+
+    err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-3",
+                                  &range, NULL, 0, true);
+    fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed.");
+
+    err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-4",
+                                  &range2, NULL, 0, true);
+    fail_unless(err == IDMAP_COLLISION,
+                "sss_idmap_add_domain added domain with the same name.");
+
+    err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3",
+                                  &range2, NULL, 0, true);
+    fail_unless(err == IDMAP_COLLISION,
+                "sss_idmap_add_domain added domain with the same SID.");
+
+    err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4",
+                                  &range, NULL, 0, true);
+    fail_unless(err == IDMAP_SUCCESS,
+                "sss_idmap_add_domain failed to add second domain with " \
+                "external mapping and the same range.");
+}
+END_TEST
+
 START_TEST(idmap_test_sid2uid)
 {
     enum idmap_error_code err;
@@ -510,6 +572,8 @@ Suite *idmap_test_suite (void)
                               idmap_ctx_teardown);
 
     tcase_add_test(tc_dom, idmap_test_add_domain);
+    tcase_add_test(tc_dom, idmap_test_add_domain_collisions);
+    tcase_add_test(tc_dom, idmap_test_add_domain_collisions_ext_mapping);
 
     suite_add_tcase(s, tc_dom);