From 46b194196749d4ea77d5d4e6bdd64d7c0996b105 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 31 Aug 2021 12:59:15 +0200
Subject: [PATCH] sdap: always create sdap object for a forest root
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.
This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.
Resolves: https://github.com/SSSD/sssd/issues/5770
:fixes: Even if the forest root is disabled for lookups all required
internal data is initialized to be able to refresh the list of trusted
domains in the forest from a DC of the forest root.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 2a617c0efc07d10efc0688652bfe7ab2d8d6f477)
---
src/providers/ldap/sdap_domain.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
index d384b2e4a..fa6e9340d 100644
--- a/src/providers/ldap/sdap_domain.c
+++ b/src/providers/ldap/sdap_domain.c
@@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx,
struct sdap_domain *sdom, *sditer;
errno_t ret;
- for (dom = get_next_domain(parent, SSS_GND_DESCEND);
+ for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED);
dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
- dom = get_next_domain(dom, 0)) {
+ dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
+
+ /* Always create sdap domain object for the forest root, even if it is
+ * disabled so that we can connect later to discover trusted domains
+ * in the forest. */
+ if (sss_domain_get_state(dom) == DOM_DISABLED
+ && !sss_domain_is_forest_root(dom)) {
+ continue;
+ }
DLIST_FOR_EACH(sditer, sdom_list) {
if (sditer->dom == dom) {
--
2.26.3