From 9438cd7b8c8cca1e919afec6c5aa3a3233a31f8c Mon Sep 17 00:00:00 2001

From: Petr Cech <pcech@redhat.com>

Date: Mon, 27 Jun 2016 11:51:30 +0200

Subject: [PATCH 106/108] AD_PROVIDER: ad_enabled_domains - other then master

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

We can skip looking up other domains if

option ad_enabled_domains doesn't contain them.

Resolves:

https://fedorahosted.org/sssd/ticket/2828

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

---

 src/providers/ad/ad_subdomains.c | 40 +++++++++++++++++++++++++++++++++++++---

 1 file changed, 37 insertions(+), 3 deletions(-)

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c

index 5fdfc63886457db02ea4edc430341b31c3e545ce..52bf5361fa8de02c7165cbc3513a923ec018fc15 100644

--- a/src/providers/ad/ad_subdomains.c

+++ b/src/providers/ad/ad_subdomains.c

@@ -130,6 +130,16 @@ done:

     return ret;

 }

+static bool is_domain_enabled(const char *domain,

+                              const char **enabled_doms)

+{

+    if (enabled_doms == NULL) {

+        return true;

+    }

+

+    return string_in_list(domain, discard_const_p(char *, enabled_doms), false);

+}

+

 static errno_t

 ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,

                      struct ad_id_ctx *id_ctx,

@@ -492,6 +502,7 @@ done:

 static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,

                                      struct sss_domain_info *domain,

+                                     const char **enabled_domains_list,

                                      size_t nsd, struct sysdb_attrs **sd,

                                      struct sysdb_attrs *root,

                                      size_t *_nsd_out,

@@ -500,9 +511,10 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,

     size_t i, sdi;

     struct sysdb_attrs **sd_out;

     const char *sd_name;

+    const char *root_name;

     errno_t ret;

-    if (root == NULL) {

+    if (root == NULL && enabled_domains_list == NULL) {

         /* We are connected directly to the root domain. The 'sd'

          * list is complete and we can just use it

          */

@@ -529,6 +541,13 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,

             goto fail;

         }

+        if (is_domain_enabled(sd_name, enabled_domains_list) == false) {

+            DEBUG(SSSDBG_TRACE_FUNC, "Disabling subdomain %s\n", sd_name);

+            continue;

+        } else {

+            DEBUG(SSSDBG_TRACE_FUNC, "Enabling subdomain %s\n", sd_name);

+        }

+

         if (strcasecmp(sd_name, domain->name) == 0) {

             DEBUG(SSSDBG_TRACE_INTERNAL,

                   "Not including primary domain %s in the subdomain list\n",

@@ -541,9 +560,23 @@ static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx,

     }

     /* Now include the root */

-    sd_out[sdi] = talloc_steal(sd_out, root);

+    if (root != NULL) {

+        ret = sysdb_attrs_get_string(root, AD_AT_TRUST_PARTNER, &root_name);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");

+            goto fail;

+        }

-    *_nsd_out = sdi+1;

+        if (is_domain_enabled(root_name, enabled_domains_list) == true) {

+            sd_out[sdi] = talloc_steal(sd_out, root);

+            sdi++;

+        } else {

+            DEBUG(SSSDBG_TRACE_FUNC, "Disabling forest root domain %s\n",

+                                     root_name);

+        }

+    }

+

+    *_nsd_out = sdi;

     *_sd_out = sd_out;

     return EOK;

@@ -789,6 +822,7 @@ static void ad_get_slave_domain_done(struct tevent_req *subreq)

      * subdomains.

      */

     ret = ad_subdomains_process(state, state->be_ctx->domain,

+                                state->sd_ctx->ad_enabled_domains,

                                 reply_count, reply, state->root_attrs,

                                 &nsubdoms, &subdoms);

     if (ret != EOK) {

-- 

2.4.11