dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From e62c422753537d8e2b98e979553626850b7b7600 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 5 Mar 2014 11:50:54 +0100
Subject: [PATCH 108/110] AD: Only connect to GC for subdomain users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://fedorahosted.org/sssd/ticket/2251

By connecting to GC for users from both trusted domains and parent
domain, we lose the ability to download the shell and homedir if these
are used with ID mapping.

This patch changes the user lookups only. Changing the logic for all
lookups would break cross-domain group memberships, for example.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit bb8a08118db0916bf8252a9481c16271ec20acd3)
---
 src/providers/ad/ad_id.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
index 87af656b364344a8ef27a444e5dfcf8848939110..a35823b4b77d42fc583a61653a175f0ee4d22ac4 100644
--- a/src/providers/ad/ad_id.c
+++ b/src/providers/ad/ad_id.c
@@ -215,9 +215,26 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
               struct sss_domain_info *dom, struct be_acct_req *ar)
 {
     struct sdap_id_conn_ctx **clist;
+    int cindex = 0;
 
     switch (ar->entry_type & BE_REQ_TYPE_MASK) {
     case BE_REQ_USER: /* user */
+        clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
+        if (clist == NULL) return NULL;
+
+        /* Try GC first for users from trusted domains */
+        if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
+                && IS_SUBDOMAIN(dom)) {
+            clist[cindex] = ad_ctx->gc_ctx;
+            clist[cindex]->ignore_mark_offline = true;
+            cindex++;
+        }
+
+        /* Users from primary domain can be just downloaded from LDAP.
+         * The domain's LDAP connection also works as a fallback
+         */
+        clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
+        break;
     case BE_REQ_BY_SECID:   /* by SID */
     case BE_REQ_USER_AND_GROUP: /* get SID */
     case BE_REQ_GROUP: /* group */
-- 
1.8.5.3