|
 |
75e304 |
From 4dbfa49f50fd785f374209c2e59205e79533788e Mon Sep 17 00:00:00 2001
|
|
|
75e304 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
75e304 |
Date: Tue, 29 May 2018 15:46:33 +0200
|
|
|
75e304 |
Subject: [PATCH] AD/LDAP: do not fall back to mpg user lookup on GC connection
|
|
|
75e304 |
|
|
|
75e304 |
For MPG domains a group lookup might fall back to a user lookup to check
|
|
|
75e304 |
if the request is for a user private group. Since we cannot be sure that
|
|
|
75e304 |
all needed attributes for a user are replicated to the Global Catalog we
|
|
|
75e304 |
do not want to lookup the user during the fall back from the Global
|
|
|
75e304 |
Catalog.
|
|
|
75e304 |
|
|
|
75e304 |
Since we cannot skip Global Catalog lookups for groups completely due to
|
|
|
75e304 |
membership to groups with universal scope this patch adds a flag to tell
|
|
|
75e304 |
the lower level lookup calls to not fall back on connections to a Global
|
|
|
75e304 |
Catalog.
|
|
|
75e304 |
|
|
|
75e304 |
Related to https://pagure.io/SSSD/sssd/issue/3748
|
|
|
75e304 |
|
|
|
75e304 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
75e304 |
(cherry picked from commit ad6ab352879264fdade8861aff53aa035a2e2240)
|
|
|
75e304 |
---
|
|
|
75e304 |
src/providers/ad/ad_common.c | 1 +
|
|
|
75e304 |
src/providers/ldap/ldap_common.h | 2 ++
|
|
|
75e304 |
src/providers/ldap/ldap_id.c | 3 ++-
|
|
|
75e304 |
3 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
75e304 |
|
|
|
75e304 |
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
|
|
75e304 |
index 2a1647173b76b410371315eb364e9a3785714a93..1dca2fe279cb7d6d647aed42e3b3fabfb34b7dac 100644
|
|
|
75e304 |
--- a/src/providers/ad/ad_common.c
|
|
|
75e304 |
+++ b/src/providers/ad/ad_common.c
|
|
|
75e304 |
@@ -1375,6 +1375,7 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
|
|
|
75e304 |
if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) {
|
|
|
75e304 |
clist[cindex] = ad_ctx->gc_ctx;
|
|
|
75e304 |
clist[cindex]->ignore_mark_offline = true;
|
|
|
75e304 |
+ clist[cindex]->no_mpg_user_fallback = true;
|
|
|
75e304 |
cindex++;
|
|
|
75e304 |
}
|
|
|
75e304 |
|
|
|
75e304 |
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
|
|
75e304 |
index 44dbc3fb0678412f46366321e0be836313380949..21cb57b0e7b265972db74ac78a3c1fb4ba2a9529 100644
|
|
|
75e304 |
--- a/src/providers/ldap/ldap_common.h
|
|
|
75e304 |
+++ b/src/providers/ldap/ldap_common.h
|
|
|
75e304 |
@@ -57,6 +57,8 @@ struct sdap_id_conn_ctx {
|
|
|
75e304 |
struct sdap_id_conn_ctx *prev, *next;
|
|
|
75e304 |
/* do not go offline, try another connection */
|
|
|
75e304 |
bool ignore_mark_offline;
|
|
|
75e304 |
+ /* do not fall back to user lookups for mpg domains on this connection */
|
|
|
75e304 |
+ bool no_mpg_user_fallback;
|
|
|
75e304 |
};
|
|
|
75e304 |
|
|
|
75e304 |
struct sdap_id_ctx {
|
|
|
75e304 |
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
|
|
75e304 |
index 3824f8f9aa8d2892664f1182376bedf6fb8627f6..365d90fd1cdfba86c719b3669d057444a7449d66 100644
|
|
|
75e304 |
--- a/src/providers/ldap/ldap_id.c
|
|
|
75e304 |
+++ b/src/providers/ldap/ldap_id.c
|
|
|
75e304 |
@@ -1076,7 +1076,8 @@ static void groups_get_done(struct tevent_req *subreq)
|
|
|
75e304 |
}
|
|
|
75e304 |
|
|
|
75e304 |
if (ret == ENOENT
|
|
|
75e304 |
- && state->domain->mpg == true) {
|
|
|
75e304 |
+ && state->domain->mpg == true
|
|
|
75e304 |
+ && !state->conn->no_mpg_user_fallback) {
|
|
|
75e304 |
/* The requested filter did not find a group. Before giving up, we must
|
|
|
75e304 |
* also check if the GID can be resolved through a primary group of a
|
|
|
75e304 |
* user
|
|
|
75e304 |
--
|
|
|
75e304 |
2.14.4
|
|
|
75e304 |
|