From ed243335d3e74ab2cde49eacc9a85ca5408a8dec Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Fri, 15 Oct 2021 13:39:50 +0200

Subject: [PATCH 82/83] ad: only send cldap-ping to our local domain

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Since we are using the name of the local domain in the search filter of

the CLDAP ping only a DC from the local domain can send a proper reply.

DCs from other domains will only return an error so we can skip the

CLDAP ping for those domains.

Resolves: https://github.com/SSSD/sssd/issues/5822

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

(cherry picked from commit 724293d0873ee3229866ae4c13e1c8829375146f)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/providers/ad/ad_cldap_ping.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c

index 100d448f5..91db81bfc 100644

--- a/src/providers/ad/ad_cldap_ping.c

+++ b/src/providers/ad/ad_cldap_ping.c

@@ -621,6 +621,14 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx,

         goto done;

     }

+    if (strcmp(srv_ctx->ad_domain, discovery_domain) != 0) {

+        DEBUG(SSSDBG_TRACE_ALL, "Trying to discover domain [%s] "

+              "which is not our local domain [%s], skipping CLDAP ping.\n",

+              discovery_domain, srv_ctx->ad_domain);

+        ret = EOK;

+        goto done;

+    }

+

     DEBUG(SSSDBG_TRACE_FUNC, "Sending CLDAP ping\n");

     state->ev = ev;

-- 

2.26.3