dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 168396cd93b3f0e42b4842f520f2bcece91274c6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 29 Nov 2013 11:39:09 +0100
Subject: [PATCH 29/31] AD: Add a new option to turn off GC lookups

SSSD now defaults to using GC by default. For some environments, for
instance those that don't or can't replicate the POSIX attributes to
Global Catalog, this might not be desirable.

This patch introduces a new option ad_enable_gc, that is enabled by
default. Setting this option to false makes the SSSD contact only the
LDAP port of AD DCs.
---
 src/config/etc/sssd.api.d/sssd-ad.conf |  1 +
 src/man/sssd-ad.5.xml                  | 17 +++++++++++++++++
 src/providers/ad/ad_common.c           | 31 ++++++++++++++++++-------------
 src/providers/ad/ad_common.h           |  1 +
 src/providers/ad/ad_opts.h             |  1 +
 src/tests/cmocka/test_ad_common.c      | 20 ++++++++++++++++++++
 6 files changed, 58 insertions(+), 13 deletions(-)

diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 9f606f6c4da65d4bfb20a97ee27801dac9307868..00e8968d2b6dab33a39005f11a497cb3e2185302 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -5,6 +5,7 @@ ad_backup_server = str, None, false
 ad_hostname = str, None, false
 ad_enable_dns_sites = bool, None, false
 ad_access_filter = str, None, false
+ad_enable_gc = bool, None, false
 ldap_uri = str, None, false
 ldap_backup_uri = str, None, false
 ldap_search_base = str, None, false
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index e31f87a96a14907c64166e53da443ad735c6e85e..38cc31278cf87c98ca9e53cf91fda7b141bff78d 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -228,6 +228,23 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ad_enable_gc (boolean)</term>
+                    <listitem>
+                        <para>
+                            By default, the SSSD connects to the Global
+                            Catalog first to retrieve users and uses the
+                            LDAP port to retrieve group memberships or
+                            as a fallback. Disabling this option makes
+                            the SSSD only connect to the LDAP port of the
+                            current AD server.
+                        </para>
+                        <para>
+                            Default: true
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>dyndns_update (boolean)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index af0ec839964233c7642205f4489e5b6462509848..a5ea4f587f30575a5903d8ae1a459f53512c011f 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1125,26 +1125,31 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
                 struct sss_domain_info *dom)
 {
     struct sdap_id_conn_ctx **clist;
+    int cindex = 0;
 
     clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);
     if (clist == NULL) return NULL;
 
     /* Always try GC first */
-    clist[0] = ad_ctx->gc_ctx;
-    if (IS_SUBDOMAIN(dom) == true) {
-        clist[0]->ignore_mark_offline = false;
-        /* Subdomain users are only present in GC. */
-        return clist;
+    if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) {
+        clist[cindex] = ad_ctx->gc_ctx;
+        if (IS_SUBDOMAIN(dom) == true) {
+            clist[cindex]->ignore_mark_offline = false;
+            /* Subdomain users are only present in GC. */
+            return clist;
+        }
+        /* fall back to ldap if gc is not available */
+        clist[cindex]->ignore_mark_offline = true;
+        cindex++;
     }
 
-    /* fall back to ldap if gc is not available */
-    clist[0]->ignore_mark_offline = true;
-
-    /* With root domain users we have the option to
-     * fall back to LDAP in case ie POSIX attributes
-     * are used but not replicated to GC
-     */
-    clist[1] = ad_ctx->ldap_ctx;
+    if (IS_SUBDOMAIN(dom) == false) {
+        /* With root domain users we have the option to
+         * fall back to LDAP in case ie POSIX attributes
+         * are used but not replicated to GC
+         */
+        clist[cindex] = ad_ctx->ldap_ctx;
+    }
 
     return clist;
 }
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index ed5b8584dc5327a24e60985486c6155604271fd2..d370cef69124c127f41d7c4cbaa25713363e7752 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -42,6 +42,7 @@ enum ad_basic_opt {
     AD_KRB5_REALM,
     AD_ENABLE_DNS_SITES,
     AD_ACCESS_FILTER,
+    AD_ENABLE_GC,
 
     AD_OPTS_BASIC /* opts counter */
 };
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index 8022a16274a04389b7a64b491ec28a0c3c55aaef..5b7b1c89f5f45d7cc744a955e6378390948a99fd 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -36,6 +36,7 @@ struct dp_option ad_basic_opts[] = {
     { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
     { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING},
+    { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
index 648b68f2dc05947b1fbb4c680ec63d3c2c6275b3..07502b82d43d730562c60125b639d8e7d1034458 100644
--- a/src/tests/cmocka/test_ad_common.c
+++ b/src/tests/cmocka/test_ad_common.c
@@ -159,6 +159,8 @@ void test_conn_list(void **state)
                                                      struct ad_common_test_ctx);
     assert_non_null(test_ctx);
 
+    assert_true(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,
+                                AD_ENABLE_GC));
     conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);
     assert_non_null(conn_list);
 
@@ -177,6 +179,24 @@ void test_conn_list(void **state)
     assert_false(conn_list[0]->ignore_mark_offline);
     assert_null(conn_list[1]);
     talloc_free(conn_list);
+
+    dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false);
+    assert_false(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic,
+                                 AD_ENABLE_GC));
+
+    conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom);
+    assert_non_null(conn_list);
+
+    assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
+    assert_false(conn_list[0]->ignore_mark_offline);
+    assert_null(conn_list[1]);
+    talloc_free(conn_list);
+
+    conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom);
+    assert_non_null(conn_list);
+
+    assert_null(conn_list[0]);
+    talloc_free(conn_list);
 }
 
 int main(int argc, const char *argv[])
-- 
1.8.4.2