diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-07-12 17:57:01 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-07-17 13:13:10 +0200 |
commit | 1bb04648878b7b3e3897484e7cfc2d11725c8014 (patch) | |
tree | af8fa43bd0b320a77fe77ff54ad26b4be44ef8f5 /src/providers/ldap | |
parent | 9c25d1420ddf482b01bdaba54a15bce8a6f32943 (diff) | |
download | sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.tar.gz sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.tar.bz2 sssd-1bb04648878b7b3e3897484e7cfc2d11725c8014.zip |
LDAP: When resolving a SID, search for groups first, then users
https://fedorahosted.org/sssd/ticket/1997
Most of the time, the SIDs are resolved as a call coming from the PAC
responder during initgroups. In that case at least, it makes sense to
search for group matching that SID first, then users.
We may consider making this behaviour configurable ie for the server
mode where typically the users should be queried first.
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_id.c | 37 |
1 files changed, 18 insertions, 19 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index addb2f3c..edf5106f 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -1452,17 +1452,17 @@ static struct tevent_req *get_user_and_group_send(TALLOC_CTX *memctx, state->filter_type = filter_type; state->attrs_type = attrs_type; - subreq = users_get_send(req, state->ev, state->id_ctx, - state->sdom, state->conn, - state->filter_val, state->filter_type, - state->attrs_type, NULL); + subreq = groups_get_send(req, state->ev, state->id_ctx, + state->sdom, state->conn, + state->filter_val, state->filter_type, + state->attrs_type, state->noexist_delete); if (subreq == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("users_get_send failed.\n")); ret = ENOMEM; goto fail; } - tevent_req_set_callback(subreq, get_user_and_group_users_done, req); + tevent_req_set_callback(subreq, get_user_and_group_groups_done, req); return req; @@ -1472,7 +1472,7 @@ fail: return req; } -static void get_user_and_group_users_done(struct tevent_req *subreq) +static void get_user_and_group_groups_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); @@ -1480,15 +1480,15 @@ static void get_user_and_group_users_done(struct tevent_req *subreq) struct get_user_and_group_state); int ret; - ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); + ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret); talloc_zfree(subreq); - if (ret != EOK) { /* Fatal error while looking up user */ + if (ret != EOK) { /* Fatal error while looking up group */ tevent_req_error(req, ret); return; } - if (state->sdap_ret == EOK) { /* Matching user found */ + if (state->sdap_ret == EOK) { /* Matching group found */ tevent_req_done(req); return; } else if (state->sdap_ret != ENOENT) { @@ -1497,22 +1497,21 @@ static void get_user_and_group_users_done(struct tevent_req *subreq) } /* Now the search finished fine but did not find an entry. - * Retry with groups. */ - - subreq = groups_get_send(req, state->ev, state->id_ctx, - state->sdom, state->conn, - state->filter_val, state->filter_type, - state->attrs_type, state->noexist_delete); + * Retry with users. */ + subreq = users_get_send(req, state->ev, state->id_ctx, + state->sdom, state->conn, + state->filter_val, state->filter_type, + state->attrs_type, state->noexist_delete); if (subreq == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("groups_get_send failed.\n")); tevent_req_error(req, ENOMEM); return; } - tevent_req_set_callback(subreq, get_user_and_group_groups_done, req); + tevent_req_set_callback(subreq, get_user_and_group_users_done, req); } -static void get_user_and_group_groups_done(struct tevent_req *subreq) +static void get_user_and_group_users_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); @@ -1520,10 +1519,10 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq) struct get_user_and_group_state); int ret; - ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret); + ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); talloc_zfree(subreq); - if (ret == EOK) { /* Matching group found */ + if (ret == EOK) { /* Matching user found */ tevent_req_done(req); } else { tevent_req_error(req, ret); |