|
 |
ecf709 |
From 9b9d3e2817fdcf16f2949641d4130b39856a4bf6 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
|
ecf709 |
Date: Fri, 28 Apr 2017 20:49:56 +0200
|
|
|
ecf709 |
Subject: [PATCH 127/127] SERVER_MODE: Update sdap lists for each ad_ctx
|
|
|
ecf709 |
|
|
|
ecf709 |
We use separate AD context for each subdomain in the server mode.
|
|
|
ecf709 |
Every such context has it's own sdap_domain list witch represents
|
|
|
ecf709 |
sdap options such as filter and search bases for every domain.
|
|
|
ecf709 |
|
|
|
ecf709 |
However AD context can only fully initialize sdap_domain structure
|
|
|
ecf709 |
for the same domain for which the whole context was created, which
|
|
|
ecf709 |
resulted in the other sdap_domain structures to be have automaticily
|
|
|
ecf709 |
detected settings. This can cause problems if user is member of
|
|
|
ecf709 |
groups from multiple domains.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3381
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit 21f3d6124ea28218d02e1e345d38e2b948e4ec23)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/ipa/ipa_subdomains_server.c | 36 +++++++++++++++++++++++++++++++
|
|
|
ecf709 |
1 file changed, 36 insertions(+)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
ecf709 |
index b02ea67af964a03e5466067cdb2b3ba4498120eb..443d83824f329b9d8c3d8e820113e1029f832240 100644
|
|
|
ecf709 |
--- a/src/providers/ipa/ipa_subdomains_server.c
|
|
|
ecf709 |
+++ b/src/providers/ipa/ipa_subdomains_server.c
|
|
|
ecf709 |
@@ -870,6 +870,7 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
struct tevent_req *subreq = NULL;
|
|
|
ecf709 |
struct ipa_ad_server_ctx *trust_iter;
|
|
|
ecf709 |
+ struct ipa_ad_server_ctx *trust_i;
|
|
|
ecf709 |
struct ipa_server_create_trusts_state *state = NULL;
|
|
|
ecf709 |
|
|
|
ecf709 |
state = tevent_req_data(req, struct ipa_server_create_trusts_state);
|
|
|
ecf709 |
@@ -900,6 +901,41 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* Refresh all sdap_dom lists in all ipa_ad_server_ctx contexts */
|
|
|
ecf709 |
+ DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) {
|
|
|
ecf709 |
+ struct sdap_domain *sdom_a;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ sdom_a = sdap_domain_get(trust_iter->ad_id_ctx->sdap_id_ctx->opts,
|
|
|
ecf709 |
+ trust_iter->dom);
|
|
|
ecf709 |
+ if (sdom_a == NULL) {
|
|
|
ecf709 |
+ continue;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ DLIST_FOR_EACH(trust_i, state->id_ctx->server_mode->trusts) {
|
|
|
ecf709 |
+ struct sdap_domain *sdom_b;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (strcmp(trust_iter->dom->name, trust_i->dom->name) == 0) {
|
|
|
ecf709 |
+ continue;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ sdom_b = sdap_domain_get(trust_i->ad_id_ctx->sdap_id_ctx->opts,
|
|
|
ecf709 |
+ sdom_a->dom);
|
|
|
ecf709 |
+ if (sdom_b == NULL) {
|
|
|
ecf709 |
+ continue;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ /* Replace basedn and search bases from sdom_b with values
|
|
|
ecf709 |
+ * from sdom_a */
|
|
|
ecf709 |
+ sdom_b->search_bases = sdom_a->search_bases;
|
|
|
ecf709 |
+ sdom_b->user_search_bases = sdom_a->user_search_bases;
|
|
|
ecf709 |
+ sdom_b->group_search_bases = sdom_a->group_search_bases;
|
|
|
ecf709 |
+ sdom_b->netgroup_search_bases = sdom_a->netgroup_search_bases;
|
|
|
ecf709 |
+ sdom_b->sudo_search_bases = sdom_a->sudo_search_bases;
|
|
|
ecf709 |
+ sdom_b->service_search_bases = sdom_a->service_search_bases;
|
|
|
ecf709 |
+ sdom_b->autofs_search_bases = sdom_a->autofs_search_bases;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
return EOK;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|