From 756a944b898e55a83c212999b31ba6550af4b1ce Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 9 Sep 2014 22:13:52 +0200
Subject: [PATCH 130/130] IPA: Use GC for group lookups in server mode
https://fedorahosted.org/sssd/ticket/2412
Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)
---
src/providers/ipa/ipa_subdomains_id.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 5517602a6e9c7d56406e42aa3afbd2527e2df7ea..9a90bc2d68561ce518bd31d74ec010c697036352 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
}
sdap_id_ctx = ad_id_ctx->sdap_id_ctx;
- /* Currently only LDAP port for AD is used because POSIX
- * attributes are not replicated to GC by default
+ /* We read users and groups from GC. From groups, we may switch to
+ * using LDAP connection in the group request itself, but in order
+ * to resolve Universal group memberships, we also need the GC
+ * connection
*/
-
- if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
+ switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
+ case BE_REQ_INITGROUPS:
+ case BE_REQ_GROUP:
clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
if (clist == NULL) {
ret = ENOMEM;
goto fail;
}
- } else {
+ break;
+ default:
clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
if (clist == NULL) {
ret = ENOMEM;
--
1.9.3