dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Source Code
GIT

Blame SOURCES/0108-AD-Only-connect-to-GC-for-subdomain-users.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   9cb92d9417324a0393d82d33d06d4490da76e226
  2.   SOURCES
  3.   0108-AD-Only-connect-to-GC-for-subdomain-users.patch
Blob History Raw
2fc102 
From e62c422753537d8e2b98e979553626850b7b7600 Mon Sep 17 00:00:00 2001
2fc102 
From: Jakub Hrozek <jhrozek@redhat.com>
2fc102 
Date: Wed, 5 Mar 2014 11:50:54 +0100
2fc102 
Subject: [PATCH 108/110] AD: Only connect to GC for subdomain users
2fc102 
MIME-Version: 1.0
2fc102 
Content-Type: text/plain; charset=UTF-8
2fc102 
Content-Transfer-Encoding: 8bit
2fc102
2fc102 
https://fedorahosted.org/sssd/ticket/2251
2fc102
2fc102 
By connecting to GC for users from both trusted domains and parent
2fc102 
domain, we lose the ability to download the shell and homedir if these
2fc102 
are used with ID mapping.
2fc102
2fc102 
This patch changes the user lookups only. Changing the logic for all
2fc102 
lookups would break cross-domain group memberships, for example.
2fc102
2fc102 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
2fc102 
(cherry picked from commit bb8a08118db0916bf8252a9481c16271ec20acd3)
2fc102 
---
2fc102 
 src/providers/ad/ad_id.c | 17 +++++++++++++++++
2fc102 
 1 file changed, 17 insertions(+)
2fc102
2fc102 
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
2fc102 
index 87af656b364344a8ef27a444e5dfcf8848939110..a35823b4b77d42fc583a61653a175f0ee4d22ac4 100644
2fc102 
--- a/src/providers/ad/ad_id.c
2fc102 
+++ b/src/providers/ad/ad_id.c
2fc102 
@@ -215,9 +215,26 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
2fc102 
               struct sss_domain_info *dom, struct be_acct_req *ar)
2fc102 
 {
2fc102 
     struct sdap_id_conn_ctx **clist;
2fc102 
+    int cindex = 0;
2fc102
2fc102 
     switch (ar->entry_type & BE_REQ_TYPE_MASK) {
2fc102 
     case BE_REQ_USER: /* user */
2fc102 
+        clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
2fc102 
+        if (clist == NULL) return NULL;
2fc102 
+
2fc102 
+        /* Try GC first for users from trusted domains */
2fc102 
+        if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
2fc102 
+                && IS_SUBDOMAIN(dom)) {
2fc102 
+            clist[cindex] = ad_ctx->gc_ctx;
2fc102 
+            clist[cindex]->ignore_mark_offline = true;
2fc102 
+            cindex++;
2fc102 
+        }
2fc102 
+
2fc102 
+        /* Users from primary domain can be just downloaded from LDAP.
2fc102 
+         * The domain's LDAP connection also works as a fallback
2fc102 
+         */
2fc102 
+        clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
2fc102 
+        break;
2fc102 
     case BE_REQ_BY_SECID:   /* by SID */
2fc102 
     case BE_REQ_USER_AND_GROUP: /* get SID */
2fc102 
     case BE_REQ_GROUP: /* group */
2fc102 
--
2fc102 
1.8.5.3
2fc102

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation