|
 |
905b4d |
From 4517ac5121054f0f14dbcb977f0844d49817f4b8 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
Date: Wed, 28 Jan 2015 14:04:45 +0100
|
|
|
905b4d |
Subject: [PATCH 187/188] AD: use GC for SID requests as well
|
|
|
905b4d |
|
|
|
905b4d |
If a universal group is looked up by SID the cross-domain members must
|
|
|
905b4d |
be resolved with the help of the Global Catalog.
|
|
|
905b4d |
|
|
|
905b4d |
Related to https://fedorahosted.org/sssd/ticket/2514
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
(cherry picked from commit 561ed2fd03bab04cfdddbc09c4b48563c9d9b87e)
|
|
|
905b4d |
---
|
|
|
905b4d |
src/providers/ipa/ipa_subdomains_id.c | 1 +
|
|
|
905b4d |
src/providers/ldap/ldap_id.c | 38 ++++++++++++++++++++++++++---------
|
|
|
905b4d |
2 files changed, 29 insertions(+), 10 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
905b4d |
index c8714a216daff7506f00248e25c281529d0479c4..0508e14b690c144f4bace9ed14a326ac724eb910 100644
|
|
|
905b4d |
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
|
905b4d |
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
905b4d |
@@ -603,6 +603,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
*/
|
|
|
905b4d |
switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
|
|
|
905b4d |
case BE_REQ_INITGROUPS:
|
|
|
905b4d |
+ case BE_REQ_BY_SECID:
|
|
|
905b4d |
case BE_REQ_GROUP:
|
|
|
905b4d |
clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom);
|
|
|
905b4d |
if (clist == NULL) {
|
|
|
905b4d |
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
|
|
905b4d |
index 2e58f4e49eb33a85cbb8b4144c69004c6b5b312b..5ce462d77867f115fe5c0214fcb95b72a4370472 100644
|
|
|
905b4d |
--- a/src/providers/ldap/ldap_id.c
|
|
|
905b4d |
+++ b/src/providers/ldap/ldap_id.c
|
|
|
905b4d |
@@ -33,6 +33,7 @@
|
|
|
905b4d |
#include "providers/ldap/sdap_async.h"
|
|
|
905b4d |
#include "providers/ldap/sdap_idmap.h"
|
|
|
905b4d |
#include "providers/ldap/sdap_users.h"
|
|
|
905b4d |
+#include "providers/ad/ad_common.h"
|
|
|
905b4d |
|
|
|
905b4d |
/* =Users-Related-Functions-(by-name,by-uid)============================== */
|
|
|
905b4d |
|
|
|
905b4d |
@@ -1745,6 +1746,8 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
|
|
|
905b4d |
struct get_user_and_group_state *state = tevent_req_data(req,
|
|
|
905b4d |
struct get_user_and_group_state);
|
|
|
905b4d |
int ret;
|
|
|
905b4d |
+ struct ad_id_ctx *ad_id_ctx;
|
|
|
905b4d |
+ struct sdap_id_conn_ctx *user_conn;
|
|
|
905b4d |
|
|
|
905b4d |
ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret);
|
|
|
905b4d |
talloc_zfree(subreq);
|
|
|
905b4d |
@@ -1764,8 +1767,22 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
|
|
|
905b4d |
|
|
|
905b4d |
/* Now the search finished fine but did not find an entry.
|
|
|
905b4d |
* Retry with users. */
|
|
|
905b4d |
+
|
|
|
905b4d |
+ user_conn = state->conn;
|
|
|
905b4d |
+ /* Prefer LDAP over GC for users */
|
|
|
905b4d |
+ if (state->id_ctx->opts->schema_type == SDAP_SCHEMA_AD
|
|
|
905b4d |
+ && state->sdom->pvt != NULL) {
|
|
|
905b4d |
+ ad_id_ctx = talloc_get_type(state->sdom->pvt, struct ad_id_ctx);
|
|
|
905b4d |
+ if (ad_id_ctx != NULL && ad_id_ctx->ldap_ctx != NULL
|
|
|
905b4d |
+ && state->conn == ad_id_ctx->gc_ctx) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
|
905b4d |
+ "Switching to LDAP connection for user lookup.\n");
|
|
|
905b4d |
+ user_conn = ad_id_ctx->ldap_ctx;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
subreq = users_get_send(req, state->ev, state->id_ctx,
|
|
|
905b4d |
- state->sdom, state->conn,
|
|
|
905b4d |
+ state->sdom, user_conn,
|
|
|
905b4d |
state->filter_val, state->filter_type, NULL,
|
|
|
905b4d |
state->attrs_type, state->noexist_delete);
|
|
|
905b4d |
if (subreq == NULL) {
|
|
|
905b4d |
@@ -1792,16 +1809,17 @@ static void get_user_and_group_users_done(struct tevent_req *subreq)
|
|
|
905b4d |
tevent_req_error(req, ret);
|
|
|
905b4d |
return;
|
|
|
905b4d |
}
|
|
|
905b4d |
-
|
|
|
905b4d |
if (state->sdap_ret == ENOENT) {
|
|
|
905b4d |
- /* The search ran to completion, but nothing was found.
|
|
|
905b4d |
- * Delete the existing entry, if any. */
|
|
|
905b4d |
- ret = sysdb_delete_by_sid(state->sysdb, state->domain,
|
|
|
905b4d |
- state->filter_val);
|
|
|
905b4d |
- if (ret != EOK) {
|
|
|
905b4d |
- DEBUG(SSSDBG_OP_FAILURE, "Could not delete entry by SID!\n");
|
|
|
905b4d |
- tevent_req_error(req, ret);
|
|
|
905b4d |
- return;
|
|
|
905b4d |
+ if (state->noexist_delete == true) {
|
|
|
905b4d |
+ /* The search ran to completion, but nothing was found.
|
|
|
905b4d |
+ * Delete the existing entry, if any. */
|
|
|
905b4d |
+ ret = sysdb_delete_by_sid(state->sysdb, state->domain,
|
|
|
905b4d |
+ state->filter_val);
|
|
|
905b4d |
+ if (ret != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "Could not delete entry by SID!\n");
|
|
|
905b4d |
+ tevent_req_error(req, ret);
|
|
|
905b4d |
+ return;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
}
|
|
|
905b4d |
} else if (state->sdap_ret != EOK) {
|
|
|
905b4d |
tevent_req_error(req, EIO);
|
|
|
905b4d |
--
|
|
|
905b4d |
2.1.0
|
|
|
905b4d |
|