summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-07 11:29:51 +0100
committerSimo Sorce <simo@redhat.com>2012-11-10 21:44:22 -0500
commit2074780e4dc881028c06de6699d2967ef42ac4a9 (patch)
tree379d0fedc1f9b51e8ccb45ddd7a8ca3da3e925e5 /src
parentb294d4c50ec4431bc07ad7ec5a73e8af0e53c54f (diff)
downloadsssd-2074780e4dc881028c06de6699d2967ef42ac4a9.tar.gz
sssd-2074780e4dc881028c06de6699d2967ef42ac4a9.tar.bz2
sssd-2074780e4dc881028c06de6699d2967ef42ac4a9.zip
Do not remove a group if it has members from subdomains
Currently it is only checked if an expired group still has members of the local domain. If not, the group is delete from the cache. With this patch the whole cache, i.e. including subdomains, is searched for members.
Diffstat (limited to 'src')
-rw-r--r--src/providers/ldap/ldap_id_cleanup.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
index e65356d5..9c2faabb 100644
--- a/src/providers/ldap/ldap_id_cleanup.c
+++ b/src/providers/ldap/ldap_id_cleanup.c
@@ -395,6 +395,7 @@ static int cleanup_groups(TALLOC_CTX *memctx,
int ret;
int i;
const char *posix;
+ struct ldb_dn *base_dn;
tmpctx = talloc_new(memctx);
if (!tmpctx) {
@@ -436,10 +437,12 @@ static int cleanup_groups(TALLOC_CTX *memctx,
posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL);
if (!posix || strcmp(posix, "TRUE") == 0) {
/* Search for users that are members of this group, or
- * that have this group as their primary GID
+ * that have this group as their primary GID.
+ * Include subdomain users as well.
*/
gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
- subfilter = talloc_asprintf(tmpctx, "(|(%s=%s)(%s=%lu))",
+ subfilter = talloc_asprintf(tmpctx, "(&(%s=%s)(|(%s=%s)(%s=%lu)))",
+ SYSDB_OBJECTCLASS, SYSDB_USER_CLASS,
SYSDB_MEMBEROF, dn,
SYSDB_GIDNUM, (long unsigned) gid);
} else {
@@ -451,8 +454,16 @@ static int cleanup_groups(TALLOC_CTX *memctx,
goto done;
}
- ret = sysdb_search_users(tmpctx, sysdb,
- subfilter, NULL, &u_count, &u_msgs);
+ base_dn = sysdb_base_dn(sysdb, tmpctx);
+ if (base_dn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Failed to build base dn\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_search_entry(tmpctx, sysdb, base_dn,
+ LDB_SCOPE_SUBTREE, subfilter, NULL,
+ &u_count, &u_msgs);
if (ret == ENOENT) {
const char *name;