From 59f136cd254d1acf2991c97221eb08803784777d Mon Sep 17 00:00:00 2001
From: "Paul B. Henson" <henson@acm.org>
Date: Tue, 13 Nov 2012 03:31:43 -0800
Subject: Add ignore_group_members option.

https://fedorahosted.org/sssd/ticket/1376
---
 src/providers/ldap/ldap_id.c           | 9 ++++++++-
 src/providers/ldap/sdap_async_groups.c | 6 +++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

(limited to 'src/providers')

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index b8520df8..0c2d63d3 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -340,6 +340,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
     enum idmap_error_code err;
     char *sid;
     bool use_id_mapping = dp_opt_get_bool(ctx->opts->basic, SDAP_ID_MAPPING);
+    const char *member_filter[2];
 
     req = tevent_req_create(memctx, &state, struct groups_get_state);
     if (!req) return NULL;
@@ -438,9 +439,15 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
         goto fail;
     }
 
+    member_filter[0] = (const char *)ctx->opts->group_map[SDAP_AT_GROUP_MEMBER].name;
+    member_filter[1] = NULL;
+
     /* TODO: handle attrs_type */
     ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP,
-                               NULL, &state->attrs, NULL);
+                               state->domain->ignore_group_members ?
+                                   (const char **)member_filter : NULL,
+                               &state->attrs, NULL);
+
     if (ret != EOK) goto fail;
 
     ret = groups_get_retry(req);
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index f0185e41..67dddae7 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1648,8 +1648,12 @@ static void sdap_get_groups_done(struct tevent_req *subreq)
     if (state->check_count == 0) {
         DEBUG(9, ("All groups processed\n"));
 
+        /* If ignore_group_members is set for the domain, don't update
+         * group memberships in the cache.
+         */
         ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts,
-                               state->groups, state->count, true, NULL,
+                               state->groups, state->count,
+                               !state->dom->ignore_group_members, NULL,
                                &state->higher_usn);
         if (ret) {
             DEBUG(2, ("Failed to store groups.\n"));
-- 
cgit