|
 |
71e593 |
From 62d671b874a66101c0f4bff39fc6d7f49cb8fca6 Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Tue, 4 Dec 2018 13:06:23 +0100
|
|
|
71e593 |
Subject: [PATCH 84/84] ipa: use only the global catalog service of the forest
|
|
|
71e593 |
root
|
|
|
71e593 |
|
|
|
71e593 |
While creating the domains and sub-domains each domain gets a global
|
|
|
71e593 |
catalog services assigned but only one should be used because the global
|
|
|
71e593 |
catalog is by definition responsible for the whole forest so it does not
|
|
|
71e593 |
make sense to use a global catalog service for each domain and in the
|
|
|
71e593 |
worst case connect to the same GC multiple times.
|
|
|
71e593 |
|
|
|
71e593 |
In the AD provider this is simple because the GC service of the
|
|
|
71e593 |
configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA
|
|
|
71e593 |
case all domains from the trusted forest are on the level of sub-domains
|
|
|
71e593 |
so we have to pick one. Since the forest root is linked from all domain
|
|
|
71e593 |
of the same forest it will be the most straight forward choice.
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3902
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
---
|
|
|
71e593 |
src/providers/ipa/ipa_subdomains_id.c | 50 +++++++++++++++++++++++++--
|
|
|
71e593 |
1 file changed, 47 insertions(+), 3 deletions(-)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
71e593 |
index a16eed284..48cf74460 100644
|
|
|
71e593 |
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
|
71e593 |
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
71e593 |
@@ -713,6 +713,52 @@ int ipa_get_subdom_acct_recv(struct tevent_req *req, int *dp_error_out)
|
|
|
71e593 |
return EOK;
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx,
|
|
|
71e593 |
+ struct sss_domain_info *dom);
|
|
|
71e593 |
+
|
|
|
71e593 |
+static struct sdap_id_conn_ctx **
|
|
|
71e593 |
+ipa_ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ipa_id_ctx *ipa_ctx,
|
|
|
71e593 |
+ struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ struct ad_id_ctx *forest_root_ad_id_ctx;
|
|
|
71e593 |
+ struct sdap_id_conn_ctx **clist;
|
|
|
71e593 |
+ int cindex = 0;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ /* While creating the domains and sub-domains each domain gets a global
|
|
|
71e593 |
+ * catalog services assigned but only one should be used because the
|
|
|
71e593 |
+ * global catalog is by definition responsible for the whole forest so it
|
|
|
71e593 |
+ * does not make sense to use a global catalog service for each domain and
|
|
|
71e593 |
+ * in the worst case connect to the same GC multiple times.
|
|
|
71e593 |
+ *
|
|
|
71e593 |
+ * In the AD provider this is simple because the GC service of the
|
|
|
71e593 |
+ * configured domain AD_GC_SERVICE_NAME ("AD_GC") can be used. In the IPA
|
|
|
71e593 |
+ * case all domains from the trusted forest are on the level of
|
|
|
71e593 |
+ * sub-domains so we have to pick one. Since the forest root is linked
|
|
|
71e593 |
+ * from all domain of the same forest it will be the most straight forward
|
|
|
71e593 |
+ * choice. */
|
|
|
71e593 |
+ forest_root_ad_id_ctx = ipa_get_ad_id_ctx(ipa_ctx, dom->forest_root);
|
|
|
71e593 |
+ if (forest_root_ad_id_ctx == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_OP_FAILURE, "Missing ad_id_ctx for forest root.\n");
|
|
|
71e593 |
+ return NULL;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3);
|
|
|
71e593 |
+ if (clist == NULL) return NULL;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ /* Always try GC first */
|
|
|
71e593 |
+ if (dp_opt_get_bool(forest_root_ad_id_ctx->ad_options->basic,
|
|
|
71e593 |
+ AD_ENABLE_GC)) {
|
|
|
71e593 |
+ clist[cindex] = forest_root_ad_id_ctx->gc_ctx;
|
|
|
71e593 |
+ clist[cindex]->ignore_mark_offline = true;
|
|
|
71e593 |
+ clist[cindex]->no_mpg_user_fallback = true;
|
|
|
71e593 |
+ cindex++;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return clist;
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
/* IPA lookup for server mode. Directly to AD. */
|
|
|
71e593 |
struct ipa_get_ad_acct_state {
|
|
|
71e593 |
int dp_error;
|
|
|
71e593 |
@@ -731,8 +777,6 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req);
|
|
|
71e593 |
static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req);
|
|
|
71e593 |
static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq);
|
|
|
71e593 |
static void ipa_get_ad_acct_done(struct tevent_req *subreq);
|
|
|
71e593 |
-static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx,
|
|
|
71e593 |
- struct sss_domain_info *dom);
|
|
|
71e593 |
|
|
|
71e593 |
static struct tevent_req *
|
|
|
71e593 |
ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
@@ -785,7 +829,7 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
case BE_REQ_INITGROUPS:
|
|
|
71e593 |
case BE_REQ_BY_SECID:
|
|
|
71e593 |
case BE_REQ_GROUP:
|
|
|
71e593 |
- clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom);
|
|
|
71e593 |
+ clist = ipa_ad_gc_conn_list(req, ipa_ctx, ad_id_ctx, state->obj_dom);
|
|
|
71e593 |
break;
|
|
|
71e593 |
default:
|
|
|
71e593 |
clist = ad_ldap_conn_list(req, ad_id_ctx, state->obj_dom);
|
|
|
71e593 |
--
|
|
|
71e593 |
2.19.1
|
|
|
71e593 |
|