From ed243335d3e74ab2cde49eacc9a85ca5408a8dec Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 15 Oct 2021 13:39:50 +0200
Subject: [PATCH 82/83] ad: only send cldap-ping to our local domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since we are using the name of the local domain in the search filter of
the CLDAP ping only a DC from the local domain can send a proper reply.
DCs from other domains will only return an error so we can skip the
CLDAP ping for those domains.

Resolves: https://github.com/SSSD/sssd/issues/5822

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 724293d0873ee3229866ae4c13e1c8829375146f)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/providers/ad/ad_cldap_ping.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/providers/ad/ad_cldap_ping.c b/src/providers/ad/ad_cldap_ping.c
index 100d448f5..91db81bfc 100644
--- a/src/providers/ad/ad_cldap_ping.c
+++ b/src/providers/ad/ad_cldap_ping.c
@@ -621,6 +621,14 @@ struct tevent_req *ad_cldap_ping_send(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    if (strcmp(srv_ctx->ad_domain, discovery_domain) != 0) {
+        DEBUG(SSSDBG_TRACE_ALL, "Trying to discover domain [%s] "
+              "which is not our local domain [%s], skipping CLDAP ping.\n",
+              discovery_domain, srv_ctx->ad_domain);
+        ret = EOK;
+        goto done;
+    }
+
     DEBUG(SSSDBG_TRACE_FUNC, "Sending CLDAP ping\n");
 
     state->ev = ev;
-- 
2.26.3