From 1bb04648878b7b3e3897484e7cfc2d11725c8014 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 12 Jul 2013 17:57:01 +0200 Subject: LDAP: When resolving a SID, search for groups first, then users https://fedorahosted.org/sssd/ticket/1997 Most of the time, the SIDs are resolved as a call coming from the PAC responder during initgroups. In that case at least, it makes sense to search for group matching that SID first, then users. We may consider making this behaviour configurable ie for the server mode where typically the users should be queried first. --- src/providers/ldap/ldap_id.c | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index addb2f3c..edf5106f 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -1452,17 +1452,17 @@ static struct tevent_req *get_user_and_group_send(TALLOC_CTX *memctx, state->filter_type = filter_type; state->attrs_type = attrs_type; - subreq = users_get_send(req, state->ev, state->id_ctx, - state->sdom, state->conn, - state->filter_val, state->filter_type, - state->attrs_type, NULL); + subreq = groups_get_send(req, state->ev, state->id_ctx, + state->sdom, state->conn, + state->filter_val, state->filter_type, + state->attrs_type, state->noexist_delete); if (subreq == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("users_get_send failed.\n")); ret = ENOMEM; goto fail; } - tevent_req_set_callback(subreq, get_user_and_group_users_done, req); + tevent_req_set_callback(subreq, get_user_and_group_groups_done, req); return req; @@ -1472,7 +1472,7 @@ fail: return req; } -static void get_user_and_group_users_done(struct tevent_req *subreq) +static void get_user_and_group_groups_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); @@ -1480,15 +1480,15 @@ static void get_user_and_group_users_done(struct tevent_req *subreq) struct get_user_and_group_state); int ret; - ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); + ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret); talloc_zfree(subreq); - if (ret != EOK) { /* Fatal error while looking up user */ + if (ret != EOK) { /* Fatal error while looking up group */ tevent_req_error(req, ret); return; } - if (state->sdap_ret == EOK) { /* Matching user found */ + if (state->sdap_ret == EOK) { /* Matching group found */ tevent_req_done(req); return; } else if (state->sdap_ret != ENOENT) { @@ -1497,22 +1497,21 @@ static void get_user_and_group_users_done(struct tevent_req *subreq) } /* Now the search finished fine but did not find an entry. - * Retry with groups. */ - - subreq = groups_get_send(req, state->ev, state->id_ctx, - state->sdom, state->conn, - state->filter_val, state->filter_type, - state->attrs_type, state->noexist_delete); + * Retry with users. */ + subreq = users_get_send(req, state->ev, state->id_ctx, + state->sdom, state->conn, + state->filter_val, state->filter_type, + state->attrs_type, state->noexist_delete); if (subreq == NULL) { DEBUG(SSSDBG_OP_FAILURE, ("groups_get_send failed.\n")); tevent_req_error(req, ENOMEM); return; } - tevent_req_set_callback(subreq, get_user_and_group_groups_done, req); + tevent_req_set_callback(subreq, get_user_and_group_users_done, req); } -static void get_user_and_group_groups_done(struct tevent_req *subreq) +static void get_user_and_group_users_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); @@ -1520,10 +1519,10 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq) struct get_user_and_group_state); int ret; - ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret); + ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); talloc_zfree(subreq); - if (ret == EOK) { /* Matching group found */ + if (ret == EOK) { /* Matching user found */ tevent_req_done(req); } else { tevent_req_error(req, ret); -- cgit