Blame SOURCES/0025-IPA-Use-dereference-for-host-groups-even-if-the-conf.patch

841ac7
From 2c97edb4bd965499fe4cc39710de1a565c1b40d3 Mon Sep 17 00:00:00 2001
841ac7
From: Jakub Hrozek <jhrozek@redhat.com>
841ac7
Date: Tue, 12 Mar 2019 12:48:48 +0100
841ac7
Subject: [PATCH 25/25] IPA: Use dereference for host groups even if the
841ac7
 configuration disables dereference
841ac7
MIME-Version: 1.0
841ac7
Content-Type: text/plain; charset=UTF-8
841ac7
Content-Transfer-Encoding: 8bit
841ac7
841ac7
Related:
841ac7
https://pagure.io/SSSD/sssd/issue/3979
841ac7
841ac7
In some cases, it makes sense for performance reasons to disable
841ac7
dereference when processing user groups. But since processing of HBAC host
841ac7
groups is not much of a performance sensitive operation, we can get away
841ac7
with ignoring the client side setting and always using the dereference
841ac7
branch if the server supports the dereference call.
841ac7
841ac7
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
841ac7
(cherry picked from commit 9d63616000c0c886a6da87708a460218a9e24474)
841ac7
---
841ac7
 src/man/sssd-ldap.5.xml       | 11 +++++++++--
841ac7
 src/providers/ipa/ipa_hosts.c |  2 +-
841ac7
 2 files changed, 10 insertions(+), 3 deletions(-)
841ac7
841ac7
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
841ac7
index 5b858be62..25acc19e6 100644
841ac7
--- a/src/man/sssd-ldap.5.xml
841ac7
+++ b/src/man/sssd-ldap.5.xml
841ac7
@@ -1601,8 +1601,15 @@
841ac7
                             they are looked up individually.
841ac7
                         </para>
841ac7
                         <para>
841ac7
-                            You can turn off dereference lookups completely by
841ac7
-                            setting the value to 0.
841ac7
+                            You can turn off dereference lookups completely
841ac7
+                            by setting the value to 0. Please note that
841ac7
+                            there are some codepaths in SSSD, like the IPA
841ac7
+                            HBAC provider, that are only implemented using
841ac7
+                            the dereference call, so even with dereference
841ac7
+                            explicitly disabled, those parts will still
841ac7
+                            use dereference if the server supports it
841ac7
+                            and advertises the dereference control in the
841ac7
+                            rootDSE object.
841ac7
                         </para>
841ac7
                         <para>
841ac7
                             A dereference lookup is a means of fetching all
841ac7
diff --git a/src/providers/ipa/ipa_hosts.c b/src/providers/ipa/ipa_hosts.c
841ac7
index 288bfb865..e209bca67 100644
841ac7
--- a/src/providers/ipa/ipa_hosts.c
841ac7
+++ b/src/providers/ipa/ipa_hosts.c
841ac7
@@ -157,7 +157,7 @@ ipa_host_info_done(struct tevent_req *subreq)
841ac7
                 return;
841ac7
             }
841ac7
 
841ac7
-            if (!sdap_has_deref_support(state->sh, state->opts)) {
841ac7
+            if (!sdap_has_deref_support_ex(state->sh, state->opts, true)) {
841ac7
                 DEBUG(SSSDBG_CRIT_FAILURE, "Server does not support deref\n");
841ac7
                 tevent_req_error(req, EIO);
841ac7
                 return;
841ac7
-- 
841ac7
2.19.1
841ac7