1dedfbb334
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
or machine swaps
Resolves: failure in glibc tests
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
auth_provider ldap, login fails if the LDAP server
is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
in /etc/systemd/system
Backport few upstream features from 1.16.1
76 lines
3.1 KiB
Diff
76 lines
3.1 KiB
Diff
From 2029b7b32c868dd5ad33dcc9b078d362ee9bb602 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Mon, 20 Nov 2017 12:04:50 +0100
|
|
Subject: [PATCH 70/79] ipa: handle users from different domains in
|
|
ipa_resolve_user_list_send()
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Instead of assuming that all users in the list can be found in the
|
|
provided domain with this patch the domain name part of the user name is
|
|
preferred. The provided domain name is used as a fallback.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3579
|
|
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/providers/ipa/ipa_id.c | 20 ++++++++++++++++----
|
|
1 file changed, 16 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
|
|
index 5044577f0faa95b19de9233240e92aa60f029774..9a092bc837f762af8d229ff5a7eb4c4ba4b78f2f 100644
|
|
--- a/src/providers/ipa/ipa_id.c
|
|
+++ b/src/providers/ipa/ipa_id.c
|
|
@@ -63,6 +63,8 @@ struct ipa_resolve_user_list_state {
|
|
struct ipa_id_ctx *ipa_ctx;
|
|
struct ldb_message_element *users;
|
|
const char *domain_name;
|
|
+ struct sss_domain_info *domain;
|
|
+ struct sss_domain_info *user_domain;
|
|
size_t user_idx;
|
|
|
|
int dp_error;
|
|
@@ -91,6 +93,8 @@ ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev,
|
|
state->ev = ev;
|
|
state->ipa_ctx = ipa_ctx;
|
|
state->domain_name = domain_name;
|
|
+ state->domain = find_domain_by_name(state->ipa_ctx->sdap_id_ctx->be->domain,
|
|
+ state->domain_name, true);
|
|
state->users = users;
|
|
state->user_idx = 0;
|
|
state->dp_error = DP_ERR_FATAL;
|
|
@@ -132,8 +136,17 @@ static errno_t ipa_resolve_user_list_get_user_step(struct tevent_req *req)
|
|
|
|
DEBUG(SSSDBG_TRACE_ALL, "Trying to resolve user [%s].\n", ar->filter_value);
|
|
|
|
- if (strcasecmp(state->domain_name,
|
|
- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) {
|
|
+ state->user_domain = find_domain_by_object_name_ex(
|
|
+ state->ipa_ctx->sdap_id_ctx->be->domain,
|
|
+ ar->filter_value, true);
|
|
+ /* Use provided domain as as fallback is no known domain was found in the
|
|
+ * user name. */
|
|
+ if (state->user_domain == NULL) {
|
|
+ state->user_domain = state->domain;
|
|
+ }
|
|
+ ar->domain = state->user_domain->name;
|
|
+
|
|
+ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) {
|
|
subreq = ipa_subdomain_account_send(state, state->ev, state->ipa_ctx,
|
|
ar);
|
|
} else {
|
|
@@ -158,8 +171,7 @@ static void ipa_resolve_user_list_get_user_done(struct tevent_req *subreq)
|
|
struct ipa_resolve_user_list_state);
|
|
int ret;
|
|
|
|
- if (strcasecmp(state->domain_name,
|
|
- state->ipa_ctx->sdap_id_ctx->be->domain->name) != 0) {
|
|
+ if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) {
|
|
ret = ipa_subdomain_account_recv(subreq, &state->dp_error);
|
|
} else {
|
|
ret = ipa_id_get_account_info_recv(subreq, &state->dp_error);
|
|
--
|
|
2.15.1
|
|
|