rpms / sssd

Clone
Source Code
GIT

Files

  1.   75e304b4bb7c231e41a209a451a29fb3cbae0170
  2.   SOURCES
  3.   0122-AD-LDAP-do-not-fall-back-to-mpg-user-lookup-on-GC-co.patch
Blob Blame History Raw 
From 4dbfa49f50fd785f374209c2e59205e79533788e Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 29 May 2018 15:46:33 +0200
Subject: [PATCH] AD/LDAP: do not fall back to mpg user lookup on GC connection

For MPG domains a group lookup might fall back to a user lookup to check
if the request is for a user private group. Since we cannot be sure that
all needed attributes for a user are replicated to the Global Catalog we
do not want to lookup the user during the fall back from the Global
Catalog.

Since we cannot skip Global Catalog lookups for groups completely due to
membership to groups with universal scope this patch adds a flag to tell
the lower level lookup calls to not fall back on connections to a Global
Catalog.

Related to https://pagure.io/SSSD/sssd/issue/3748

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ad6ab352879264fdade8861aff53aa035a2e2240)
---
 src/providers/ad/ad_common.c     | 1 +
 src/providers/ldap/ldap_common.h | 2 ++
 src/providers/ldap/ldap_id.c     | 3 ++-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index 2a1647173b76b410371315eb364e9a3785714a93..1dca2fe279cb7d6d647aed42e3b3fabfb34b7dac 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1375,6 +1375,7 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
     if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) {
         clist[cindex] = ad_ctx->gc_ctx;
         clist[cindex]->ignore_mark_offline = true;
+        clist[cindex]->no_mpg_user_fallback = true;
         cindex++;
     }
 
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 44dbc3fb0678412f46366321e0be836313380949..21cb57b0e7b265972db74ac78a3c1fb4ba2a9529 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -57,6 +57,8 @@ struct sdap_id_conn_ctx {
     struct sdap_id_conn_ctx *prev, *next;
     /* do not go offline, try another connection */
     bool ignore_mark_offline;
+    /* do not fall back to user lookups for mpg domains on this connection */
+    bool no_mpg_user_fallback;
 };
 
 struct sdap_id_ctx {
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 3824f8f9aa8d2892664f1182376bedf6fb8627f6..365d90fd1cdfba86c719b3669d057444a7449d66 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1076,7 +1076,8 @@ static void groups_get_done(struct tevent_req *subreq)
     }
 
     if (ret == ENOENT
-            && state->domain->mpg == true) {
+            && state->domain->mpg == true
+            && !state->conn->no_mpg_user_fallback) {
         /* The requested filter did not find a group. Before giving up, we must
          * also check if the GID can be resolved through a primary group of a
          * user
-- 
2.14.4

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation