From 591ee6dee11c4509e8e748ce83414913143e751d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 22 May 2015 15:19:31 +0200
Subject: [PATCH 202/207] Download complete groups if ignore_group_members is
 set with tokengroups

Resolves:
    https://fedorahosted.org/sssd/ticket/2644

When tokenGroups are enabled, we save groups using their SID as the RDN
attribute during initgroups() and later, if the groups is requested and saved
again with the full name, remove the original and save the new group entry.

Saving the new group entry would break if ignore_group_members is also
set, because the new group entry would lack the "member" attribute, so the
member/memberof links between the new group and the user entry wouldn't
be established again.

This patch changes the initgroups processing so that the full group
object is fetched when initgroups is enabled but together with
ignore_group_members. This solution imposes some performance impact,
because instead of one search for tokenGroups we also need to resolve the
groups. The more systematic solution would be to get rid of removing the
group entry as described in https://fedorahosted.org/sssd/ticket/2656

To reproduce the bug, set: ignore_group_members = True with a
backend that uses:
    id_provider = ad
Then run:
    $ id aduser@ad_domain.com
    $ id aduser@ad_domain.com

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ee44aac95e42c3cb634876286a2aa4960ac69a2b)
---
 src/providers/ldap/sdap_async_initgroups_ad.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 9915f18..463d850 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -1445,7 +1445,18 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
     state->use_id_mapping = use_id_mapping;
     state->domain = domain;
 
-    if (state->use_id_mapping && !IS_SUBDOMAIN(state->domain)) {
+    /* We can compute the the gidNumber attribute from SIDs obtained from
+     * the tokenGroups lookup in case ID mapping is used for a user from the
+     * parent domain. For trusted domains, we need to know the group type
+     * to be able to filter out domain-local groups. Additionally, as a
+     * temporary workaround until https://fedorahosted.org/sssd/ticket/2656
+     * is fixed, we also fetch the group object if group members are ignored
+     * to avoid having to transfer and retain members when the fake
+     * tokengroups object without name is replaced by the full group object
+     */
+    if (state->use_id_mapping
+            && !IS_SUBDOMAIN(state->domain)
+            && state->domain->ignore_group_members == false) {
         subreq = sdap_ad_tokengroups_initgr_mapping_send(state, ev, opts,
                                                          sysdb, domain, sh,
                                                          name, orig_dn,
@@ -1485,7 +1496,9 @@ static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq)
     req = tevent_req_callback_data(subreq, struct tevent_req);
     state = tevent_req_data(req, struct sdap_ad_tokengroups_initgroups_state);
 
-    if (state->use_id_mapping && !IS_SUBDOMAIN(state->domain)) {
+    if (state->use_id_mapping
+            && !IS_SUBDOMAIN(state->domain)
+            && state->domain->ignore_group_members == false) {
         ret = sdap_ad_tokengroups_initgr_mapping_recv(subreq);
     } else {
         ret = sdap_ad_tokengroups_initgr_posix_recv(subreq);
-- 
2.1.0