|
 |
7db20e |
From 756a944b898e55a83c212999b31ba6550af4b1ce Mon Sep 17 00:00:00 2001
|
|
|
7db20e |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
7db20e |
Date: Tue, 9 Sep 2014 22:13:52 +0200
|
|
|
7db20e |
Subject: [PATCH 130/130] IPA: Use GC for group lookups in server mode
|
|
|
7db20e |
|
|
|
7db20e |
https://fedorahosted.org/sssd/ticket/2412
|
|
|
7db20e |
|
|
|
7db20e |
Even though AD trusts often work with POSIX attributes which are
|
|
|
7db20e |
normally not replicated to GC, our group lookups are smart since commit
|
|
|
7db20e |
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
|
|
|
7db20e |
the LDAP connection and only use the GC connection to look up the members.
|
|
|
7db20e |
|
|
|
7db20e |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
7db20e |
(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)
|
|
|
7db20e |
---
|
|
|
7db20e |
src/providers/ipa/ipa_subdomains_id.c | 14 +++++++++-----
|
|
|
7db20e |
1 file changed, 9 insertions(+), 5 deletions(-)
|
|
|
7db20e |
|
|
|
7db20e |
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
7db20e |
index 5517602a6e9c7d56406e42aa3afbd2527e2df7ea..9a90bc2d68561ce518bd31d74ec010c697036352 100644
|
|
|
7db20e |
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
|
7db20e |
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
7db20e |
@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
|
|
|
7db20e |
}
|
|
|
7db20e |
sdap_id_ctx = ad_id_ctx->sdap_id_ctx;
|
|
|
7db20e |
|
|
|
7db20e |
- /* Currently only LDAP port for AD is used because POSIX
|
|
|
7db20e |
- * attributes are not replicated to GC by default
|
|
|
7db20e |
+ /* We read users and groups from GC. From groups, we may switch to
|
|
|
7db20e |
+ * using LDAP connection in the group request itself, but in order
|
|
|
7db20e |
+ * to resolve Universal group memberships, we also need the GC
|
|
|
7db20e |
+ * connection
|
|
|
7db20e |
*/
|
|
|
7db20e |
-
|
|
|
7db20e |
- if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
|
|
|
7db20e |
+ switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
|
|
|
7db20e |
+ case BE_REQ_INITGROUPS:
|
|
|
7db20e |
+ case BE_REQ_GROUP:
|
|
|
7db20e |
clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
|
|
|
7db20e |
if (clist == NULL) {
|
|
|
7db20e |
ret = ENOMEM;
|
|
|
7db20e |
goto fail;
|
|
|
7db20e |
}
|
|
|
7db20e |
- } else {
|
|
|
7db20e |
+ break;
|
|
|
7db20e |
+ default:
|
|
|
7db20e |
clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
|
|
|
7db20e |
if (clist == NULL) {
|
|
|
7db20e |
ret = ENOMEM;
|
|
|
7db20e |
--
|
|
|
7db20e |
1.9.3
|
|
|
7db20e |
|