diff options
Diffstat (limited to 'server')
-rw-r--r-- | server/man/sssd.conf.5.xml | 12 | ||||
-rw-r--r-- | server/responder/nss/nsssrv.c | 39 | ||||
-rw-r--r-- | server/responder/nss/nsssrv.h | 2 | ||||
-rw-r--r-- | server/responder/nss/nsssrv_cmd.c | 34 |
4 files changed, 56 insertions, 31 deletions
diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml index 76d7f482..6c6a310c 100644 --- a/server/man/sssd.conf.5.xml +++ b/server/man/sssd.conf.5.xml @@ -346,6 +346,18 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>filterUsersInGroups (bool)</term> + <listitem> + <para> + If you want filtered user still be group members + set this option to false. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> </refsect1> diff --git a/server/responder/nss/nsssrv.c b/server/responder/nss/nsssrv.c index a896ef31..ad804389 100644 --- a/server/responder/nss/nsssrv.c +++ b/server/responder/nss/nsssrv.c @@ -102,6 +102,11 @@ static int nss_get_config(struct nss_ctx *nctx, &nctx->neg_timeout); if (ret != EOK) goto done; + ret = confdb_get_bool(cdb, nctx, NSS_SRV_CONFIG, + "filterUsersInGroups", true, + &nctx->filter_users_in_groups); + if (ret != EOK) goto done; + ret = confdb_get_string_as_list(cdb, tmpctx, NSS_SRV_CONFIG, "filterUsers", &filter_list); if (ret == ENOENT) filter_list = NULL; @@ -293,24 +298,24 @@ int main(int argc, const char *argv[]) struct main_context *main_ctx; int ret; - struct poptOption long_options[] = { - POPT_AUTOHELP + struct poptOption long_options[] = { + POPT_AUTOHELP SSSD_MAIN_OPTS - { NULL } - }; - - pc = poptGetContext(argv[0], argc, argv, long_options, 0); - while((opt = poptGetNextOpt(pc)) != -1) { - switch(opt) { - default: - fprintf(stderr, "\nInvalid option %s: %s\n\n", - poptBadOption(pc, 0), poptStrerror(opt)); - poptPrintUsage(pc, stderr, 0); - return 1; - } - } - - poptFreeContext(pc); + { NULL } + }; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); /* set up things like debug , signals, daemonization, etc... */ ret = server_setup("sssd[nss]", 0, NSS_SRV_CONFIG, &main_ctx); diff --git a/server/responder/nss/nsssrv.h b/server/responder/nss/nsssrv.h index 0d3124c7..e9bae0f9 100644 --- a/server/responder/nss/nsssrv.h +++ b/server/responder/nss/nsssrv.h @@ -60,6 +60,8 @@ struct nss_ctx { struct getent_ctx *pctx; struct getent_ctx *gctx; + + bool filter_users_in_groups; }; struct nss_packet; diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c index e8f178a4..520bf6df 100644 --- a/server/responder/nss/nsssrv_cmd.c +++ b/server/responder/nss/nsssrv_cmd.c @@ -1373,6 +1373,7 @@ static int fill_grent(struct sss_packet *packet, const char *namefmt = nctx->rctx->names->fq_fmt; bool packet_initialized = false; int ncret; + bool legacy = false; if (add_domain) dom_len = strlen(domain); @@ -1496,19 +1497,22 @@ static int fill_grent(struct sss_packet *packet, el = ldb_msg_find_element(msg, SYSDB_LEGACY_MEMBER); if (el) { /* legacy */ + legacy = true; memnum = el->num_values; n = 0; for (j = 0; j < memnum; j++) { name = (char *)el->values[j].data; - ncret = nss_ncache_check_user(nctx->ncache, - nctx->neg_timeout, - domain, name); - if (ncret == EEXIST) { - DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n", - name, domain)); - continue; + if (nctx->filter_users_in_groups) { + ncret = nss_ncache_check_user(nctx->ncache, + nctx->neg_timeout, + domain, name); + if (ncret == EEXIST) { + DEBUG(4,("User [%s@%s] filtered out! (negative cache)\n", + name, domain)); + continue; + } } name_len = el->values[j].length + 1; @@ -1586,12 +1590,14 @@ static int fill_grent(struct sss_packet *packet, goto done; } - ncret = nss_ncache_check_user(nctx->ncache, - nctx->neg_timeout, domain, name); - if (ncret == EEXIST) { - DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n", - name, domain)); - continue; + if (nctx->filter_users_in_groups) { + ncret = nss_ncache_check_user(nctx->ncache, + nctx->neg_timeout, domain, name); + if (ncret == EEXIST) { + DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n", + name, domain)); + continue; + } } /* check that the uid is valid for this domain */ @@ -1651,7 +1657,7 @@ static int fill_grent(struct sss_packet *packet, goto done; } - if (mnump) { + if (mnump && !legacy) { /* fill in the last group member count */ sss_packet_get_body(packet, &body, &blen); ((uint32_t *)(&body[mnump]))[0] = memnum; /* num members */ |