|
 |
905b4d |
From 8a18e0f42e45a29ca78f5ec2c21987cd8df3474d Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
Date: Fri, 23 Jan 2015 14:39:07 +0100
|
|
|
905b4d |
Subject: [PATCH 177/177] sysdb: remove ghosts in all sub-domains as well
|
|
|
905b4d |
|
|
|
905b4d |
If a user is a member is a group in a different sub-domain, e.g with
|
|
|
905b4d |
universal groups in AD, the ghost attribute might not be properly
|
|
|
905b4d |
removed from the group object if the user is resolved. The reason is
|
|
|
905b4d |
that only groups from the domain of the user were search for ghost
|
|
|
905b4d |
attributes. This patch increases the search-base to all sub-domains of
|
|
|
905b4d |
the configured SSSD domain.
|
|
|
905b4d |
|
|
|
905b4d |
Resolves https://fedorahosted.org/sssd/ticket/2567
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
(cherry picked from commit fc2146c108e28d50bbf691925cedf9592142dd14)
|
|
|
905b4d |
---
|
|
|
905b4d |
src/db/sysdb_ops.c | 5 +++--
|
|
|
905b4d |
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
|
905b4d |
index b12540b68d1c81c419455416294f3449dd84914e..0c254d8cdad1144c32aad7e470fa2a35cd24b38b 100644
|
|
|
905b4d |
--- a/src/db/sysdb_ops.c
|
|
|
905b4d |
+++ b/src/db/sysdb_ops.c
|
|
|
905b4d |
@@ -1219,8 +1219,9 @@ sysdb_remove_ghostattr_from_groups(struct sss_domain_info *domain,
|
|
|
905b4d |
ERROR_OUT(ret, EINVAL, done);
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- tmpdn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb,
|
|
|
905b4d |
- SYSDB_TMPL_GROUP_BASE, domain->name);
|
|
|
905b4d |
+ /* To cover cross-domain group-membership we must search in all
|
|
|
905b4d |
+ * sub-domains. */
|
|
|
905b4d |
+ tmpdn = ldb_dn_new(tmp_ctx, domain->sysdb->ldb, SYSDB_BASE);
|
|
|
905b4d |
if (!tmpdn) {
|
|
|
905b4d |
ret = ENOMEM;
|
|
|
905b4d |
goto done;
|
|
|
905b4d |
--
|
|
|
905b4d |
2.1.0
|
|
|
905b4d |
|