diff options
author | Sumit Bose <sbose@redhat.com> | 2012-11-07 11:29:51 +0100 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2012-11-10 21:44:22 -0500 |
commit | 2074780e4dc881028c06de6699d2967ef42ac4a9 (patch) | |
tree | 379d0fedc1f9b51e8ccb45ddd7a8ca3da3e925e5 /src | |
parent | b294d4c50ec4431bc07ad7ec5a73e8af0e53c54f (diff) | |
download | sssd-2074780e4dc881028c06de6699d2967ef42ac4a9.tar.gz sssd-2074780e4dc881028c06de6699d2967ef42ac4a9.tar.bz2 sssd-2074780e4dc881028c06de6699d2967ef42ac4a9.zip |
Do not remove a group if it has members from subdomains
Currently it is only checked if an expired group still has members of
the local domain. If not, the group is delete from the cache. With this
patch the whole cache, i.e. including subdomains, is searched for
members.
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ldap/ldap_id_cleanup.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c index e65356d5..9c2faabb 100644 --- a/src/providers/ldap/ldap_id_cleanup.c +++ b/src/providers/ldap/ldap_id_cleanup.c @@ -395,6 +395,7 @@ static int cleanup_groups(TALLOC_CTX *memctx, int ret; int i; const char *posix; + struct ldb_dn *base_dn; tmpctx = talloc_new(memctx); if (!tmpctx) { @@ -436,10 +437,12 @@ static int cleanup_groups(TALLOC_CTX *memctx, posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL); if (!posix || strcmp(posix, "TRUE") == 0) { /* Search for users that are members of this group, or - * that have this group as their primary GID + * that have this group as their primary GID. + * Include subdomain users as well. */ gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0); - subfilter = talloc_asprintf(tmpctx, "(|(%s=%s)(%s=%lu))", + subfilter = talloc_asprintf(tmpctx, "(&(%s=%s)(|(%s=%s)(%s=%lu)))", + SYSDB_OBJECTCLASS, SYSDB_USER_CLASS, SYSDB_MEMBEROF, dn, SYSDB_GIDNUM, (long unsigned) gid); } else { @@ -451,8 +454,16 @@ static int cleanup_groups(TALLOC_CTX *memctx, goto done; } - ret = sysdb_search_users(tmpctx, sysdb, - subfilter, NULL, &u_count, &u_msgs); + base_dn = sysdb_base_dn(sysdb, tmpctx); + if (base_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("Failed to build base dn\n")); + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_entry(tmpctx, sysdb, base_dn, + LDB_SCOPE_SUBTREE, subfilter, NULL, + &u_count, &u_msgs); if (ret == ENOENT) { const char *name; |