summaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rw-r--r--server/man/sssd.conf.5.xml12
-rw-r--r--server/responder/nss/nsssrv.c39
-rw-r--r--server/responder/nss/nsssrv.h2
-rw-r--r--server/responder/nss/nsssrv_cmd.c34
4 files changed, 56 insertions, 31 deletions
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml
index 76d7f482..6c6a310c 100644
--- a/server/man/sssd.conf.5.xml
+++ b/server/man/sssd.conf.5.xml
@@ -346,6 +346,18 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>filterUsersInGroups (bool)</term>
+ <listitem>
+ <para>
+ If you want filtered user still be group members
+ set this option to false.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
</refsect1>
diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c
index a896ef31..ad804389 100644
--- a/server/responder/nss/nsssrv.c
+++ b/server/responder/nss/nsssrv.c
@@ -102,6 +102,11 @@ static int nss_get_config(struct nss_ctx *nctx,
&nctx->neg_timeout);
if (ret != EOK) goto done;
+ ret = confdb_get_bool(cdb, nctx, NSS_SRV_CONFIG,
+ "filterUsersInGroups", true,
+ &nctx->filter_users_in_groups);
+ if (ret != EOK) goto done;
+
ret = confdb_get_string_as_list(cdb, tmpctx, NSS_SRV_CONFIG,
"filterUsers", &filter_list);
if (ret == ENOENT) filter_list = NULL;
@@ -293,24 +298,24 @@ int main(int argc, const char *argv[])
struct main_context *main_ctx;
int ret;
- struct poptOption long_options[] = {
- POPT_AUTOHELP
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
SSSD_MAIN_OPTS
- { NULL }
- };
-
- pc = poptGetContext(argv[0], argc, argv, long_options, 0);
- while((opt = poptGetNextOpt(pc)) != -1) {
- switch(opt) {
- default:
- fprintf(stderr, "\nInvalid option %s: %s\n\n",
- poptBadOption(pc, 0), poptStrerror(opt));
- poptPrintUsage(pc, stderr, 0);
- return 1;
- }
- }
-
- poptFreeContext(pc);
+ { NULL }
+ };
+
+ pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch(opt) {
+ default:
+ fprintf(stderr, "\nInvalid option %s: %s\n\n",
+ poptBadOption(pc, 0), poptStrerror(opt));
+ poptPrintUsage(pc, stderr, 0);
+ return 1;
+ }
+ }
+
+ poptFreeContext(pc);
/* set up things like debug , signals, daemonization, etc... */
ret = server_setup("sssd[nss]", 0, NSS_SRV_CONFIG, &main_ctx);
diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h
index 0d3124c7..e9bae0f9 100644
--- a/server/responder/nss/nsssrv.h
+++ b/server/responder/nss/nsssrv.h
@@ -60,6 +60,8 @@ struct nss_ctx {
struct getent_ctx *pctx;
struct getent_ctx *gctx;
+
+ bool filter_users_in_groups;
};
struct nss_packet;
diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
index e8f178a4..520bf6df 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -1373,6 +1373,7 @@ static int fill_grent(struct sss_packet *packet,
const char *namefmt = nctx->rctx->names->fq_fmt;
bool packet_initialized = false;
int ncret;
+ bool legacy = false;
if (add_domain) dom_len = strlen(domain);
@@ -1496,19 +1497,22 @@ static int fill_grent(struct sss_packet *packet,
el = ldb_msg_find_element(msg, SYSDB_LEGACY_MEMBER);
if (el) {
/* legacy */
+ legacy = true;
memnum = el->num_values;
n = 0;
for (j = 0; j < memnum; j++) {
name = (char *)el->values[j].data;
- ncret = nss_ncache_check_user(nctx->ncache,
- nctx->neg_timeout,
- domain, name);
- if (ncret == EEXIST) {
- DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
- name, domain));
- continue;
+ if (nctx->filter_users_in_groups) {
+ ncret = nss_ncache_check_user(nctx->ncache,
+ nctx->neg_timeout,
+ domain, name);
+ if (ncret == EEXIST) {
+ DEBUG(4,("User [%s@%s] filtered out! (negative cache)\n",
+ name, domain));
+ continue;
+ }
}
name_len = el->values[j].length + 1;
@@ -1586,12 +1590,14 @@ static int fill_grent(struct sss_packet *packet,
goto done;
}
- ncret = nss_ncache_check_user(nctx->ncache,
- nctx->neg_timeout, domain, name);
- if (ncret == EEXIST) {
- DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
- name, domain));
- continue;
+ if (nctx->filter_users_in_groups) {
+ ncret = nss_ncache_check_user(nctx->ncache,
+ nctx->neg_timeout, domain, name);
+ if (ncret == EEXIST) {
+ DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
+ name, domain));
+ continue;
+ }
}
/* check that the uid is valid for this domain */
@@ -1651,7 +1657,7 @@ static int fill_grent(struct sss_packet *packet,
goto done;
}
- if (mnump) {
+ if (mnump && !legacy) {
/* fill in the last group member count */
sss_packet_get_body(packet, &body, &blen);
((uint32_t *)(&body[mnump]))[0] = memnum; /* num members */