summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/ldap/ldap_id_cleanup.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
index e65356d5..9c2faabb 100644
--- a/src/providers/ldap/ldap_id_cleanup.c
+++ b/src/providers/ldap/ldap_id_cleanup.c
@@ -395,6 +395,7 @@ static int cleanup_groups(TALLOC_CTX *memctx,
int ret;
int i;
const char *posix;
+ struct ldb_dn *base_dn;
tmpctx = talloc_new(memctx);
if (!tmpctx) {
@@ -436,10 +437,12 @@ static int cleanup_groups(TALLOC_CTX *memctx,
posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL);
if (!posix || strcmp(posix, "TRUE") == 0) {
/* Search for users that are members of this group, or
- * that have this group as their primary GID
+ * that have this group as their primary GID.
+ * Include subdomain users as well.
*/
gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
- subfilter = talloc_asprintf(tmpctx, "(|(%s=%s)(%s=%lu))",
+ subfilter = talloc_asprintf(tmpctx, "(&(%s=%s)(|(%s=%s)(%s=%lu)))",
+ SYSDB_OBJECTCLASS, SYSDB_USER_CLASS,
SYSDB_MEMBEROF, dn,
SYSDB_GIDNUM, (long unsigned) gid);
} else {
@@ -451,8 +454,16 @@ static int cleanup_groups(TALLOC_CTX *memctx,
goto done;
}
- ret = sysdb_search_users(tmpctx, sysdb,
- subfilter, NULL, &u_count, &u_msgs);
+ base_dn = sysdb_base_dn(sysdb, tmpctx);
+ if (base_dn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Failed to build base dn\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_search_entry(tmpctx, sysdb, base_dn,
+ LDB_SCOPE_SUBTREE, subfilter, NULL,
+ &u_count, &u_msgs);
if (ret == ENOENT) {
const char *name;