From 168396cd93b3f0e42b4842f520f2bcece91274c6 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Fri, 29 Nov 2013 11:39:09 +0100

Subject: [PATCH 29/31] AD: Add a new option to turn off GC lookups

SSSD now defaults to using GC by default. For some environments, for

instance those that don't or can't replicate the POSIX attributes to

Global Catalog, this might not be desirable.

This patch introduces a new option ad_enable_gc, that is enabled by

default. Setting this option to false makes the SSSD contact only the

LDAP port of AD DCs.

---

 src/config/etc/sssd.api.d/sssd-ad.conf |  1 +

 src/man/sssd-ad.5.xml                  | 17 +++++++++++++++++

 src/providers/ad/ad_common.c           | 31 ++++++++++++++++++-------------

 src/providers/ad/ad_common.h           |  1 +

 src/providers/ad/ad_opts.h             |  1 +

 src/tests/cmocka/test_ad_common.c      | 20 ++++++++++++++++++++

 6 files changed, 58 insertions(+), 13 deletions(-)

diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf

index 9f606f6c4da65d4bfb20a97ee27801dac9307868..00e8968d2b6dab33a39005f11a497cb3e2185302 100644

--- a/src/config/etc/sssd.api.d/sssd-ad.conf

+++ b/src/config/etc/sssd.api.d/sssd-ad.conf

@@ -5,6 +5,7 @@ ad_backup_server = str, None, false

 ad_hostname = str, None, false

 ad_enable_dns_sites = bool, None, false

 ad_access_filter = str, None, false

+ad_enable_gc = bool, None, false

 ldap_uri = str, None, false

 ldap_backup_uri = str, None, false

 ldap_search_base = str, None, false

diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml

index e31f87a96a14907c64166e53da443ad735c6e85e..38cc31278cf87c98ca9e53cf91fda7b141bff78d 100644

--- a/src/man/sssd-ad.5.xml

+++ b/src/man/sssd-ad.5.xml

@@ -228,6 +228,23 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)

                 </varlistentry>

                 <varlistentry>

+                    <term>ad_enable_gc (boolean)</term>

+                    <listitem>

+                        <para>

+                            By default, the SSSD connects to the Global

+                            Catalog first to retrieve users and uses the

+                            LDAP port to retrieve group memberships or

+                            as a fallback. Disabling this option makes

+                            the SSSD only connect to the LDAP port of the

+                            current AD server.

+                        </para>

+                        <para>

+                            Default: true

+                        </para>

+                    </listitem>

+                </varlistentry>

+

+                <varlistentry>

                     <term>dyndns_update (boolean)</term>

                     <listitem>

                         <para>

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c

index af0ec839964233c7642205f4489e5b6462509848..a5ea4f587f30575a5903d8ae1a459f53512c011f 100644

--- a/src/providers/ad/ad_common.c

+++ b/src/providers/ad/ad_common.c

@@ -1125,26 +1125,31 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,

                 struct sss_domain_info *dom)

 {

     struct sdap_id_conn_ctx **clist;

+    int cindex = 0;

     clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);

     if (clist == NULL) return NULL;

     /* Always try GC first */

-    clist[0] = ad_ctx->gc_ctx;

-    if (IS_SUBDOMAIN(dom) == true) {

-        clist[0]->ignore_mark_offline = false;

-        /* Subdomain users are only present in GC. */

-        return clist;

+    if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) {

+        clist[cindex] = ad_ctx->gc_ctx;

+        if (IS_SUBDOMAIN(dom) == true) {

+            clist[cindex]->ignore_mark_offline = false;

+            /* Subdomain users are only present in GC. */

+            return clist;

+        }

+        /* fall back to ldap if gc is not available */

+        clist[cindex]->ignore_mark_offline = true;

+        cindex++;

     }

-    /* fall back to ldap if gc is not available */

-    clist[0]->ignore_mark_offline = true;

-

-    /* With root domain users we have the option to

-     * fall back to LDAP in case ie POSIX attributes

-     * are used but not replicated to GC

-     */

-    clist[1] = ad_ctx->ldap_ctx;

+    if (IS_SUBDOMAIN(dom) == false) {

+        /* With root domain users we have the option to

+         * fall back to LDAP in case ie POSIX attributes

+         * are used but not replicated to GC

+         */

+        clist[cindex] = ad_ctx->ldap_ctx;

+    }

     return clist;

 }

diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h

index ed5b8584dc5327a24e60985486c6155604271fd2..d370cef69124c127f41d7c4cbaa25713363e7752 100644

--- a/src/providers/ad/ad_common.h

+++ b/src/providers/ad/ad_common.h

@@ -42,6 +42,7 @@ enum ad_basic_opt {

     AD_KRB5_REALM,

     AD_ENABLE_DNS_SITES,

     AD_ACCESS_FILTER,

+    AD_ENABLE_GC,

     AD_OPTS_BASIC /* opts counter */

 };

diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h

index 8022a16274a04389b7a64b491ec28a0c3c55aaef..5b7b1c89f5f45d7cc744a955e6378390948a99fd 100644

--- a/src/providers/ad/ad_opts.h

+++ b/src/providers/ad/ad_opts.h

@@ -36,6 +36,7 @@ struct dp_option ad_basic_opts[] = {

     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},

     { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },

     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},

+    { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },

     DP_OPTION_TERMINATOR

 };

diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c

index 648b68f2dc05947b1fbb4c680ec63d3c2c6275b3..07502b82d43d730562c60125b639d8e7d1034458 100644

--- a/src/tests/cmocka/test_ad_common.c

+++ b/src/tests/cmocka/test_ad_common.c

@@ -159,6 +159,8 @@ void test_conn_list(void **state)

                                                      struct ad_common_test_ctx);

     assert_non_null(test_ctx);

+    assert_true(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,

+                                AD_ENABLE_GC));

     conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);

     assert_non_null(conn_list);

@@ -177,6 +179,24 @@ void test_conn_list(void **state)

     assert_false(conn_list[0]->ignore_mark_offline);

     assert_null(conn_list[1]);

     talloc_free(conn_list);

+

+    dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false);

+    assert_false(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,

+                                 AD_ENABLE_GC));

+

+    conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);

+    assert_non_null(conn_list);

+

+    assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);

+    assert_false(conn_list[0]->ignore_mark_offline);

+    assert_null(conn_list[1]);

+    talloc_free(conn_list);

+

+    conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom);

+    assert_non_null(conn_list);

+

+    assert_null(conn_list[0]);

+    talloc_free(conn_list);

 }

 int main(int argc, const char *argv[])

-- 

1.8.4.2