dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 4517ac5121054f0f14dbcb977f0844d49817f4b8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 28 Jan 2015 14:04:45 +0100
Subject: [PATCH 187/188] AD: use GC for SID requests as well

If a universal group is looked up by SID the cross-domain members must
be resolved with the help of the Global Catalog.

Related to https://fedorahosted.org/sssd/ticket/2514

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 561ed2fd03bab04cfdddbc09c4b48563c9d9b87e)
---
 src/providers/ipa/ipa_subdomains_id.c |  1 +
 src/providers/ldap/ldap_id.c          | 38 ++++++++++++++++++++++++++---------
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index c8714a216daff7506f00248e25c281529d0479c4..0508e14b690c144f4bace9ed14a326ac724eb910 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -603,6 +603,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
      */
     switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
     case BE_REQ_INITGROUPS:
+    case BE_REQ_BY_SECID:
     case BE_REQ_GROUP:
         clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom);
         if (clist == NULL) {
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 2e58f4e49eb33a85cbb8b4144c69004c6b5b312b..5ce462d77867f115fe5c0214fcb95b72a4370472 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -33,6 +33,7 @@
 #include "providers/ldap/sdap_async.h"
 #include "providers/ldap/sdap_idmap.h"
 #include "providers/ldap/sdap_users.h"
+#include "providers/ad/ad_common.h"
 
 /* =Users-Related-Functions-(by-name,by-uid)============================== */
 
@@ -1745,6 +1746,8 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
     struct get_user_and_group_state *state = tevent_req_data(req,
                                                struct get_user_and_group_state);
     int ret;
+    struct ad_id_ctx *ad_id_ctx;
+    struct sdap_id_conn_ctx *user_conn;
 
     ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret);
     talloc_zfree(subreq);
@@ -1764,8 +1767,22 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
 
     /* Now the search finished fine but did not find an entry.
      * Retry with users. */
+
+    user_conn = state->conn;
+    /* Prefer LDAP over GC for users */
+    if (state->id_ctx->opts->schema_type == SDAP_SCHEMA_AD
+            && state->sdom->pvt != NULL) {
+        ad_id_ctx = talloc_get_type(state->sdom->pvt, struct ad_id_ctx);
+        if (ad_id_ctx != NULL &&  ad_id_ctx->ldap_ctx != NULL
+                && state->conn == ad_id_ctx->gc_ctx) {
+            DEBUG(SSSDBG_TRACE_ALL,
+                  "Switching to LDAP connection for user lookup.\n");
+            user_conn = ad_id_ctx->ldap_ctx;
+        }
+    }
+
     subreq = users_get_send(req, state->ev, state->id_ctx,
-                            state->sdom, state->conn,
+                            state->sdom, user_conn,
                             state->filter_val, state->filter_type, NULL,
                             state->attrs_type, state->noexist_delete);
     if (subreq == NULL) {
@@ -1792,16 +1809,17 @@ static void get_user_and_group_users_done(struct tevent_req *subreq)
         tevent_req_error(req, ret);
         return;
     }
-
     if (state->sdap_ret == ENOENT) {
-        /* The search ran to completion, but nothing was found.
-         * Delete the existing entry, if any. */
-        ret = sysdb_delete_by_sid(state->sysdb, state->domain,
-                                  state->filter_val);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_OP_FAILURE, "Could not delete entry by SID!\n");
-            tevent_req_error(req, ret);
-            return;
+        if (state->noexist_delete == true) {
+            /* The search ran to completion, but nothing was found.
+             * Delete the existing entry, if any. */
+            ret = sysdb_delete_by_sid(state->sysdb, state->domain,
+                                      state->filter_val);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE, "Could not delete entry by SID!\n");
+                tevent_req_error(req, ret);
+                return;
+            }
         }
     } else if (state->sdap_ret != EOK) {
         tevent_req_error(req, EIO);
-- 
2.1.0