From 337dd8a87cd774ac20d15c16ec3d9a6c4d2defc7 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 18 Apr 2017 11:47:30 +0200
Subject: [PATCH 125/135] IPA: Use search bases instead of domain_to_basedn
 when fetching external groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of deriving the search base from the IPA domain name, actually
use the search base from the sdap_domain structure.

This has primarily the advantage of not matching groups in the compat
tree.

Resolves:
    https://pagure.io/SSSD/sssd/issue/3378

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/providers/ipa/ipa_subdomains_ext_groups.c | 30 ++++++++++++---------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index d5727cc46eb9834abeab1d15cada692f81754b2e..505d89a51423489a5e2c0e09c9aa49d93c15231b 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -27,6 +27,7 @@
 #include "db/sysdb.h"
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap_async.h"
+#include "providers/ldap/sdap_ops.h"
 #include "providers/ipa/ipa_id.h"
 #include "providers/ad/ad_id.h"
 #include "providers/ipa/ipa_subdomains.h"
@@ -529,7 +530,6 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
     struct get_ad_membership_state *state = tevent_req_data(req,
                                                 struct get_ad_membership_state);
     int ret;
-    char *basedn;
 
     ret = sdap_id_op_connect_recv(subreq, &state->dp_error);
     talloc_zfree(subreq);
@@ -546,20 +546,14 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
         goto fail;
     }
 
-
-    ret = domain_to_basedn(state, state->domain, &basedn);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n");
-        goto fail;
-    }
-
-    subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts,
-                                 sdap_id_op_handle(state->sdap_op), basedn,
-                                 LDAP_SCOPE_SUBTREE,
-                                 IPA_EXT_GROUPS_FILTER, NULL, NULL, 0,
-                                 dp_opt_get_int(state->sdap_id_ctx->opts->basic,
-                                                SDAP_ENUM_SEARCH_TIMEOUT),
-                                 false);
+    subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts,
+                            sdap_id_op_handle(state->sdap_op),
+                            state->sdap_id_ctx->opts->sdom->group_search_bases,
+                            NULL, false,
+                            dp_opt_get_int(state->sdap_id_ctx->opts->basic,
+                                            SDAP_ENUM_SEARCH_TIMEOUT),
+                            IPA_EXT_GROUPS_FILTER,
+                            NULL);
     if (subreq == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
         ret = ENOMEM;
@@ -583,8 +577,10 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq)
     int ret;
     hash_table_t *ext_group_hash;
 
-    ret = sdap_get_generic_recv(subreq, state,
-                                &state->reply_count, &state->reply);
+    ret = sdap_search_bases_recv(subreq,
+                                 state,
+                                 &state->reply_count,
+                                 &state->reply);
     talloc_zfree(subreq);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n");
-- 
2.12.2