From d42d371c00c83ae44b9d1c3e88ecbe0e01b112e6 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Sun, 10 Jun 2012 14:50:43 -0400
Subject: LDAP: Add support for AD chain matching extension in initgroups

---
 src/providers/ldap/sdap_async_initgroups.c | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

(limited to 'src/providers/ldap/sdap_async_initgroups.c')

diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 8524b137..2f146b01 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2657,10 +2657,6 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
 
     case SDAP_SCHEMA_RFC2307BIS:
     case SDAP_SCHEMA_AD:
-        /* TODO: AD uses a different member/memberof schema
-         *       We need an AD specific call that is able to unroll
-         *       nested groups by doing extensive recursive searches */
-
         ret = sysdb_attrs_get_string(state->orig_user,
                                      SYSDB_ORIG_DN,
                                      &orig_dn);
@@ -2669,17 +2665,28 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
             return;
         }
 
-        subreq = sdap_initgr_rfc2307bis_send(
-                state, state->ev, state->opts, state->sysdb,
-                state->dom, state->sh,
-                cname, orig_dn);
+        if (dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_INITGROUPS)) {
+            /* Take advantage of AD's extensibleMatch filter to look up
+             * all parent groups in a single request.
+             */
+            subreq = sdap_get_ad_match_rule_initgroups_send(
+                    state, state->ev, state->opts, state->sysdb,
+                    state->sh, cname, orig_dn, state->timeout);
+        } else {
+            subreq = sdap_initgr_rfc2307bis_send(
+                    state, state->ev, state->opts, state->sysdb,
+                    state->dom, state->sh,
+                    cname, orig_dn);
+        }
         if (!subreq) {
             tevent_req_error(req, ENOMEM);
             return;
         }
+
         talloc_steal(subreq, orig_dn);
         tevent_req_set_callback(subreq, sdap_get_initgr_done, req);
         break;
+
     case SDAP_SCHEMA_IPA_V1:
         subreq = sdap_initgr_nested_send(state, state->ev, state->opts,
                                          state->sysdb, state->dom, state->sh,
@@ -2730,7 +2737,11 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
 
     case SDAP_SCHEMA_RFC2307BIS:
     case SDAP_SCHEMA_AD:
-        ret = sdap_initgr_rfc2307bis_recv(subreq);
+        if (dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_INITGROUPS)) {
+            ret = sdap_get_ad_match_rule_initgroups_recv(subreq);
+        } else {
+            ret = sdap_initgr_rfc2307bis_recv(subreq);
+        }
         break;
 
     case SDAP_SCHEMA_IPA_V1:
-- 
cgit