Blob Blame History Raw
From 8b581624e18d6f232d3174ed112d032bb6deffba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 12 Nov 2013 13:52:40 +0100
Subject: [PATCH 24/31] ad: refactor tokengroups initgroups

sdap_get_ad_tokengroups_initgroups is split into more parts so
it can be reused later.
---
 src/providers/ldap/sdap_async.h               |  20 +-
 src/providers/ldap/sdap_async_initgroups.c    |  16 +-
 src/providers/ldap/sdap_async_initgroups_ad.c | 552 ++++++++++++++++----------
 3 files changed, 357 insertions(+), 231 deletions(-)

diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index dbf572cdc82b100ba9c26b4853f05db1ba5fa4ed..67623454e675f648259c089acca59258f386ecdb 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -294,17 +294,17 @@ sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req);
 
 
 struct tevent_req *
-sdap_get_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
-                                        struct tevent_context *ev,
-                                        struct sdap_options *opts,
-                                        struct sysdb_ctx *sysdb,
-                                        struct sss_domain_info *domain,
-                                        struct sdap_handle *sh,
-                                        const char *name,
-                                        const char *orig_dn,
-                                        int timeout);
+sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
+                                    struct tevent_context *ev,
+                                    struct sdap_options *opts,
+                                    struct sysdb_ctx *sysdb,
+                                    struct sss_domain_info *domain,
+                                    struct sdap_handle *sh,
+                                    const char *name,
+                                    const char *orig_dn,
+                                    int timeout);
 
 errno_t
-sdap_get_ad_tokengroups_initgroups_recv(struct tevent_req *req);
+sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req);
 
 #endif /* _SDAP_ASYNC_H_ */
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index c16d484950e06c8474cc38db45b978b624473056..7d5cd2e7cbd86e2eb9774dfee1b8e31edec57b88 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2857,13 +2857,13 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
             /* Take advantage of AD's tokenGroups mechanism to look up all
              * parent groups in a single request.
              */
-            subreq = sdap_get_ad_tokengroups_initgroups_send(state, state->ev,
-                                                             state->opts,
-                                                             state->sysdb,
-                                                             state->dom,
-                                                             state->sh,
-                                                             cname, orig_dn,
-                                                             state->timeout);
+            subreq = sdap_ad_tokengroups_initgroups_send(state, state->ev,
+                                                         state->opts,
+                                                         state->sysdb,
+                                                         state->dom,
+                                                         state->sh,
+                                                         cname, orig_dn,
+                                                         state->timeout);
         } else if (state->opts->support_matching_rule
                     && dp_opt_get_bool(state->opts->basic,
                                        SDAP_AD_MATCHING_RULE_INITGROUPS)) {
@@ -2952,7 +2952,7 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
     case SDAP_SCHEMA_AD:
         if (state->use_id_mapping
                 && state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) {
-            ret = sdap_get_ad_tokengroups_initgroups_recv(subreq);
+            ret = sdap_ad_tokengroups_initgroups_recv(subreq);
         }
         else if (state->opts->support_matching_rule
                 && dp_opt_get_bool(state->opts->basic,
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index e58d93fb2da36febd6074381882192ba9e204e86..7ba155338a358681c1bd201bee1c75f67afb4650 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -298,96 +298,87 @@ sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req)
     return EOK;
 }
 
-struct sdap_ad_tokengroups_initgr_state {
+struct sdap_get_ad_tokengroups_state {
     struct tevent_context *ev;
-    struct sdap_options *opts;
-    struct sysdb_ctx *sysdb;
-    struct sss_domain_info *domain;
-    struct sdap_handle *sh;
+    struct sss_idmap_ctx *idmap_ctx;
     const char *username;
+
+    char **sids;
+    size_t num_sids;
 };
 
-static void
-sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *req);
+static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq);
 
-struct tevent_req *
-sdap_get_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
-                                        struct tevent_context *ev,
-                                        struct sdap_options *opts,
-                                        struct sysdb_ctx *sysdb,
-                                        struct sss_domain_info *domain,
-                                        struct sdap_handle *sh,
-                                        const char *name,
-                                        const char *orig_dn,
-                                        int timeout)
+static struct tevent_req *
+sdap_get_ad_tokengroups_send(TALLOC_CTX *mem_ctx,
+                             struct tevent_context *ev,
+                             struct sdap_options *opts,
+                             struct sdap_handle *sh,
+                             const char *name,
+                             const char *orig_dn,
+                             int timeout)
 {
-    struct tevent_req *req;
-    struct tevent_req *subreq;
-    struct sdap_ad_tokengroups_initgr_state *state;
+    struct sdap_get_ad_tokengroups_state *state = NULL;
+    struct tevent_req *req = NULL;
+    struct tevent_req *subreq = NULL;
     const char *attrs[] = {AD_TOKENGROUPS_ATTR, NULL};
+    errno_t ret;
 
     req = tevent_req_create(mem_ctx, &state,
-                            struct sdap_ad_tokengroups_initgr_state);
-    if (!req) return NULL;
+                            struct sdap_get_ad_tokengroups_state);
+    if (req == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("tevent_req_create() failed\n"));
+        return NULL;
+    }
 
+    state->idmap_ctx = opts->idmap_ctx->map;
     state->ev = ev;
-    state->opts = opts;
-    state->sysdb = sysdb;
-    state->domain = domain;
-    state->sh = sh;
-    state->username = name;
+    state->username = talloc_strdup(state, name);
+    if (state->username == NULL) {
+        ret = ENOMEM;
+        goto immediately;
+    }
+
+    subreq = sdap_get_generic_send(state, state->ev, opts, sh, orig_dn,
+                                   LDAP_SCOPE_BASE, NULL, attrs,
+                                   NULL, 0, timeout, false);
+    if (subreq == NULL) {
+        ret = ENOMEM;
+        goto immediately;
+    }
+
+    tevent_req_set_callback(subreq, sdap_get_ad_tokengroups_done, req);
+
+    return req;
 
-    subreq = sdap_get_generic_send(
-            state, state->ev, state->opts, state->sh,
-            orig_dn, LDAP_SCOPE_BASE, NULL, attrs,
-            NULL, 0, timeout, false);
-    if (!subreq) {
-        tevent_req_error(req, ENOMEM);
-        tevent_req_post(req, ev);
-        return req;
+immediately:
+    if (ret == EOK) {
+        tevent_req_done(req);
+    } else {
+        tevent_req_error(req, ret);
     }
+    tevent_req_post(req, ev);
 
-    tevent_req_set_callback(subreq,
-                            sdap_get_ad_tokengroups_initgroups_lookup_done,
-                            req);
     return req;
 }
 
-static void
-sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
+static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq)
 {
-    errno_t ret, sret;
+    TALLOC_CTX *tmp_ctx = NULL;
+    struct sdap_get_ad_tokengroups_state *state = NULL;
+    struct tevent_req *req = NULL;
+    struct sysdb_attrs **users = NULL;
+    struct ldb_message_element *el = NULL;
     enum idmap_error_code err;
-    size_t user_count, group_count, i;
-    TALLOC_CTX *tmp_ctx;
-    bool in_transaction = false;
     char *sid_str = NULL;
-    gid_t gid;
-    time_t now;
-    struct sss_domain_info *group_domain;
-    struct sysdb_attrs **users;
-    struct ldb_message_element *el;
-    struct ldb_message *msg;
-    struct ldb_dn *group_ldb_dn;
-    const char *group_str_dn;
-    char **ldap_grouplist;
-    char **sysdb_grouplist;
-    char **add_groups;
-    char **del_groups;
-    const char *attrs[] = { SYSDB_NAME, NULL };
-    const char *group_name;
-    struct tevent_req *req =
-            tevent_req_callback_data(subreq, struct tevent_req);
-    struct sdap_ad_tokengroups_initgr_state *state =
-            tevent_req_data(req, struct sdap_ad_tokengroups_initgr_state);
+    size_t num_users;
+    size_t i;
+    errno_t ret;
 
-    tmp_ctx = talloc_new(NULL);
-    if (!tmp_ctx) {
-        ret = ENOMEM;
-        goto done;
-    }
+    req = tevent_req_callback_data(subreq, struct tevent_req);
+    state = tevent_req_data(req, struct sdap_get_ad_tokengroups_state);
 
-    ret = sdap_get_generic_recv(subreq, tmp_ctx, &user_count, &users);
+    ret = sdap_get_generic_recv(subreq, tmp_ctx, &num_users, &users);
     talloc_zfree(subreq);
     if (ret != EOK) {
         DEBUG(SSSDBG_MINOR_FAILURE,
@@ -395,226 +386,361 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
         goto done;
     }
 
-    if (user_count != 1) {
+    if (num_users != 1) {
         DEBUG(SSSDBG_MINOR_FAILURE,
               ("More than one result on a base search!\n"));
         ret = EINVAL;
         goto done;
     }
 
-    /* Get the list of group SIDs */
-    ret = sysdb_attrs_get_el_ext(users[0], AD_TOKENGROUPS_ATTR,
-                                 false, &el);
-    if (ret != EOK) {
-        if (ret == ENOENT) {
-            DEBUG(SSSDBG_TRACE_LIBS,
-                  ("No tokenGroups entries for [%s]\n",
-                   state->username));
-            /* No groups in LDAP. We need to ensure that the
-             * sysdb matches.
-             */
-            el = talloc_zero(tmp_ctx, struct ldb_message_element);
-            if (!el) {
-                ret = ENOMEM;
-                goto done;
-            }
-            el->num_values = 0;
+    /* get the list of sids from tokengroups */
+    ret = sysdb_attrs_get_el_ext(users[0], AD_TOKENGROUPS_ATTR, false, &el);
+    if (ret == ENOENT) {
+        DEBUG(SSSDBG_TRACE_LIBS, ("No tokenGroups entries for [%s]\n",
+                                  state->username));
 
-            /* This will skip the group-processing loop below
-             * and proceed to removing any sysdb groups.
-             */
-        } else {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Could not read tokenGroups attribute: [%s]\n",
-                   strerror(ret)));
-            goto done;
-        }
+        state->sids = NULL;
+        state->num_sids = 0;
+        ret = EOK;
+        goto done;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, ("Could not read tokenGroups attribute: "
+                                     "[%s]\n", strerror(ret)));
+        goto done;
     }
 
-    /* Process the groups */
-    now = time(NULL);
-
-    ret = sysdb_transaction_start(state->sysdb);
-    if (ret != EOK) goto done;
-    in_transaction = true;
-
-    ldap_grouplist = talloc_array(tmp_ctx, char *, el->num_values + 1);
-    if (!ldap_grouplist) {
+    state->num_sids = 0;
+    state->sids = talloc_zero_array(state, char*, el->num_values);
+    if (state->sids == NULL) {
         ret = ENOMEM;
         goto done;
     }
-    group_count = 0;
 
+    /* convert binary sid to string */
     for (i = 0; i < el->num_values; i++) {
-        /* Get the SID and convert it to a GID */
-
-        err = sss_idmap_bin_sid_to_sid(state->opts->idmap_ctx->map,
-                                        el->values[i].data,
-                                        el->values[i].length,
-                                        &sid_str);
+        err = sss_idmap_bin_sid_to_sid(state->idmap_ctx, el->values[i].data,
+                                       el->values[i].length, &sid_str);
         if (err != IDMAP_SUCCESS) {
             DEBUG(SSSDBG_MINOR_FAILURE,
                   ("Could not convert binary SID to string: [%s]. Skipping\n",
                    idmap_error_string(err)));
             continue;
         }
-        DEBUG(SSSDBG_TRACE_LIBS,
-              ("Processing membership SID [%s]\n",
-               sid_str));
-        ret = sdap_idmap_sid_to_unix(state->opts->idmap_ctx, sid_str,
-                                     &gid);
+
+        state->sids[i] = talloc_move(state->sids, &sid_str);
+        state->num_sids++;
+    }
+
+    /* shrink array to final number of elements */
+    state->sids = talloc_realloc(state, state->sids, char*, state->num_sids);
+    if (state->sids == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+
+    if (ret != EOK) {
+        tevent_req_error(req, ret);
+        return;
+    }
+
+    tevent_req_done(req);
+}
+
+static errno_t sdap_get_ad_tokengroups_recv(TALLOC_CTX *mem_ctx,
+                                            struct tevent_req *req,
+                                            size_t *_num_sids,
+                                            char ***_sids)
+{
+    struct sdap_get_ad_tokengroups_state *state = NULL;
+    state = tevent_req_data(req, struct sdap_get_ad_tokengroups_state);
+
+    TEVENT_REQ_RETURN_ON_ERROR(req);
+
+    if (_num_sids != NULL) {
+        *_num_sids = state->num_sids;
+    }
+
+    if (_sids != NULL) {
+        *_sids = talloc_steal(mem_ctx, state->sids);
+    }
+
+    return EOK;
+}
+
+static errno_t
+sdap_ad_tokengroups_update_members(TALLOC_CTX *mem_ctx,
+                                   const char *username,
+                                   struct sysdb_ctx *sysdb,
+                                   struct sss_domain_info *domain,
+                                   char **ldap_groups)
+{
+    TALLOC_CTX *tmp_ctx = NULL;
+    char **sysdb_groups = NULL;
+    char **add_groups = NULL;
+    char **del_groups = NULL;
+    errno_t ret;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_new() failed\n"));
+        return ENOMEM;
+    }
+
+    /* Get the current sysdb group list for this user so we can update it. */
+    ret = get_sysdb_grouplist_dn(tmp_ctx, sysdb, domain,
+                                 username, &sysdb_groups);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, ("Could not get the list of groups for "
+              "[%s] in the sysdb: [%s]\n", username, strerror(ret)));
+        goto done;
+    }
+
+    /* Find the differences between the sysdb and LDAP lists.
+     * Groups in the sysdb only must be removed. */
+    ret = diff_string_lists(tmp_ctx, ldap_groups, sysdb_groups,
+                            &add_groups, &del_groups, NULL);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    DEBUG(SSSDBG_TRACE_LIBS, ("Updating memberships for [%s]\n", username));
+
+    ret = sysdb_update_members_dn(domain->sysdb, domain, username,
+                                  SYSDB_MEMBER_USER,
+                                  (const char *const *) add_groups,
+                                  (const char *const *) del_groups);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_MINOR_FAILURE, ("Membership update failed [%d]: %s\n",
+                                     ret, strerror(ret)));
+        goto done;
+    }
+
+done:
+    talloc_free(tmp_ctx);
+    return ret;
+}
+
+struct sdap_ad_tokengroups_initgroups_state {
+    struct sdap_idmap_ctx *idmap_ctx;
+    struct sysdb_ctx *sysdb;
+    struct sss_domain_info *domain;
+    const char *username;
+};
+
+static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq);
+
+struct tevent_req *
+sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
+                                    struct tevent_context *ev,
+                                    struct sdap_options *opts,
+                                    struct sysdb_ctx *sysdb,
+                                    struct sss_domain_info *domain,
+                                    struct sdap_handle *sh,
+                                    const char *name,
+                                    const char *orig_dn,
+                                    int timeout)
+{
+    struct sdap_ad_tokengroups_initgroups_state *state = NULL;
+    struct tevent_req *req = NULL;
+    struct tevent_req *subreq = NULL;
+    errno_t ret;
+
+    req = tevent_req_create(mem_ctx, &state,
+                            struct sdap_ad_tokengroups_initgroups_state);
+    if (req == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("tevent_req_create() failed\n"));
+        return NULL;
+    }
+
+    state->idmap_ctx = opts->idmap_ctx;
+    state->sysdb = sysdb;
+    state->domain = domain;
+    state->username = talloc_strdup(state, name);
+    if (state->username == NULL) {
+        ret = ENOMEM;
+        goto immediately;
+    }
+
+    subreq = sdap_get_ad_tokengroups_send(state, ev, opts, sh, name, orig_dn,
+                                          timeout);
+    if (subreq == NULL) {
+        ret = ENOMEM;
+        goto immediately;
+    }
+
+    tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgroups_done, req);
+
+    return req;
+
+immediately:
+    if (ret == EOK) {
+        tevent_req_done(req);
+    } else {
+        tevent_req_error(req, ret);
+    }
+    tevent_req_post(req, ev);
+
+    return req;
+}
+
+static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq)
+{
+    TALLOC_CTX *tmp_ctx = NULL;
+    struct sdap_ad_tokengroups_initgroups_state *state = NULL;
+    struct tevent_req *req = NULL;
+    struct sss_domain_info *domain = NULL;
+    struct ldb_message *msg = NULL;
+    const char *attrs[] = {SYSDB_NAME, NULL};
+    const char *name = NULL;
+    const char *sid = NULL;
+    char **sids = NULL;
+    size_t num_sids;
+    size_t i;
+    time_t now;
+    gid_t gid;
+    char **groups = NULL;
+    size_t num_groups;
+    errno_t ret, sret;
+    bool in_transaction;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_new() failed\n"));
+        ret = ENOMEM;
+        goto done;
+    }
+
+    req = tevent_req_callback_data(subreq, struct tevent_req);
+    state = tevent_req_data(req, struct sdap_ad_tokengroups_initgroups_state);
+
+    ret = sdap_get_ad_tokengroups_recv(state, subreq, &num_sids, &sids);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to acquire tokengroups [%d]: %s\n",
+                                    ret, strerror(ret)));
+        goto done;
+    }
+
+    num_groups = 0;
+    groups = talloc_zero_array(tmp_ctx, char*, num_sids + 1);
+    if (groups == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    now = time(NULL);
+    ret = sysdb_transaction_start(state->sysdb);
+    if (ret != EOK) {
+        goto done;
+    }
+    in_transaction = true;
+
+    for (i = 0; i < num_sids; i++) {
+        sid = sids[i];
+        DEBUG(SSSDBG_TRACE_LIBS, ("Processing membership SID [%s]\n", sid));
+
+        ret = sdap_idmap_sid_to_unix(state->idmap_ctx, sid, &gid);
         if (ret == ENOTSUP) {
             DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n"));
             ret = EOK;
             continue;
         } else if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Could not convert SID to GID: [%s]. Skipping\n",
-                   strerror(ret)));
+            DEBUG(SSSDBG_MINOR_FAILURE, ("Could not convert SID to GID: [%s]. "
+                                         "Skipping\n", strerror(ret)));
             continue;
         }
 
-        group_domain = find_subdomain_by_sid(get_domains_head(state->domain),
-                                                              sid_str);
-        if (group_domain == NULL) {
-            DEBUG(SSSDBG_MINOR_FAILURE, ("Domain not found for SID %s\n",
-                                         sid_str));
+        domain = find_subdomain_by_sid(get_domains_head(state->domain), sid);
+        if (domain == NULL) {
+            DEBUG(SSSDBG_MINOR_FAILURE, ("Domain not found for SID %s\n", sid));
             continue;
         }
 
-        DEBUG(SSSDBG_TRACE_LIBS,
-              ("Processing membership GID [%"SPRIgid"]\n", gid));
+        DEBUG(SSSDBG_TRACE_LIBS, ("SID [%s] maps to GID [%"SPRIgid"]\n",
+                                  sid, gid));
 
         /* Check whether this GID already exists in the sysdb */
-        ret = sysdb_search_group_by_gid(tmp_ctx, group_domain->sysdb,
-                                        group_domain, gid, attrs, &msg);
+        ret = sysdb_search_group_by_gid(tmp_ctx, domain->sysdb, domain,
+                                        gid, attrs, &msg);
         if (ret == EOK) {
-            group_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
-            if (!group_name) {
+            name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+            if (name == NULL) {
                 DEBUG(SSSDBG_MINOR_FAILURE,
                       ("Could not retrieve group name from sysdb\n"));
                 ret = EINVAL;
                 goto done;
             }
         } else if (ret == ENOENT) {
-            /* This is a new group. For now, we will store it
-             * under the name of its SID. When a direct lookup of
-             * the group or its GID occurs, it will replace this
-             * temporary entry.
-             */
-
-            group_name = sid_str;
-            ret = sysdb_add_incomplete_group(group_domain->sysdb,
-                                             group_domain,
-                                             group_name, gid,
-                                             NULL, sid_str, false, now);
+            /* This is a new group. For now, we will store it under the name
+             * of its SID. When a direct lookup of the group or its GID occurs,
+             * it will replace this temporary entry. */
+            name = sid;
+            ret = sysdb_add_incomplete_group(domain->sysdb, domain, name, gid,
+                                             NULL, sid, false, now);
             if (ret != EOK) {
-                DEBUG(SSSDBG_MINOR_FAILURE,
-                      ("Could not create incomplete group: [%s]\n",
-                       strerror(ret)));
+                DEBUG(SSSDBG_MINOR_FAILURE, ("Could not create incomplete "
+                                             "group: [%s]\n", strerror(ret)));
                 goto done;
             }
         } else {
             /* Unexpected error */
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Could not look up group in sysdb: [%s]\n",
-                   strerror(ret)));
+            DEBUG(SSSDBG_MINOR_FAILURE, ("Could not look up group in sysdb: "
+                                         "[%s]\n", strerror(ret)));
             goto done;
         }
 
-        group_ldb_dn = sysdb_group_dn(group_domain->sysdb, tmp_ctx,
-                                      group_domain, group_name);
-        if (group_ldb_dn == NULL) {
-            DEBUG(SSSDBG_CRIT_FAILURE, ("sysdb_group_dn() failed\n"));
+        groups[num_groups] = sysdb_group_strdn(tmp_ctx, domain->name, name);
+        if (groups[num_groups] == NULL) {
             ret = ENOMEM;
             goto done;
         }
-
-        group_str_dn = ldb_dn_get_linearized(group_ldb_dn);
-        if (group_str_dn == NULL) {
-            DEBUG(SSSDBG_CRIT_FAILURE, ("ldb_dn_get_linearized() failed\n"));
-            ret = EINVAL;
-            goto done;
-        }
-
-        ldap_grouplist[group_count] =
-                talloc_strdup(ldap_grouplist, group_str_dn);
-        if (!ldap_grouplist[group_count]) {
-            ret = ENOMEM;
-            goto done;
-        }
-
-        talloc_zfree(group_ldb_dn); /* also frees group_str_dn */
-        group_str_dn = NULL;
-
-        group_count++;
-    }
-    ldap_grouplist[group_count] = NULL;
-
-    /* Get the current sysdb group list for this user
-     * so we can update it.
-     */
-    ret = get_sysdb_grouplist_dn(state, state->sysdb, state->domain,
-                                 state->username, &sysdb_grouplist);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_MINOR_FAILURE,
-              ("Could not get the list of groups for [%s] in the sysdb: "
-               "[%s]\n",
-               state->username, strerror(ret)));
-        goto done;
+        num_groups++;
     }
 
-    /* Find the differences between the sysdb and LDAP lists
-     * Groups in the sysdb only must be removed.
-     */
-    ret = diff_string_lists(tmp_ctx, ldap_grouplist, sysdb_grouplist,
-                            &add_groups, &del_groups, NULL);
-    if (ret != EOK) goto done;
+    groups[num_groups] = NULL;
 
-    DEBUG(SSSDBG_TRACE_LIBS,
-          ("Updating memberships for [%s]\n", state->username));
-    ret = sysdb_update_members_dn(state->sysdb, state->domain,
-                                  state->username, SYSDB_MEMBER_USER,
-                                  (const char *const *) add_groups,
-                                  (const char *const *) del_groups);
+    ret = sdap_ad_tokengroups_update_members(state, state->username,
+                                             state->sysdb, state->domain,
+                                             groups);
     if (ret != EOK) {
-        DEBUG(SSSDBG_MINOR_FAILURE,
-              ("Membership update failed [%d]: %s\n",
-               ret, strerror(ret)));
+        DEBUG(SSSDBG_MINOR_FAILURE, ("Membership update failed [%d]: %s\n",
+                                     ret, strerror(ret)));
         goto done;
     }
 
     ret = sysdb_transaction_commit(state->sysdb);
     if (ret != EOK) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              ("Could not commit transaction! [%s]\n",
-               strerror(ret)));
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Could not commit transaction! [%s]\n",
+                                    strerror(ret)));
         goto done;
     }
     in_transaction = false;
 
 done:
-    sss_idmap_free_sid(state->opts->idmap_ctx->map, sid_str);
+    talloc_free(tmp_ctx);
 
     if (in_transaction) {
         sret = sysdb_transaction_cancel(state->sysdb);
-        DEBUG(SSSDBG_FATAL_FAILURE,
-              ("Could not cancel transaction! [%s]\n",
-               strerror(sret)));
+        DEBUG(SSSDBG_FATAL_FAILURE, ("Could not cancel transaction! [%s]\n",
+                                     strerror(sret)));
     }
 
-    if (ret == EOK) {
-        tevent_req_done(req);
-    } else {
+    if (ret != EOK) {
         tevent_req_error(req, ret);
+        return;
     }
-    talloc_free(tmp_ctx);
-    return;
+
+    tevent_req_done(req);
 }
 
-errno_t
-sdap_get_ad_tokengroups_initgroups_recv(struct tevent_req *req)
+errno_t sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req)
 {
     TEVENT_REQ_RETURN_ON_ERROR(req);
+
     return EOK;
 }
-- 
1.8.4.2