-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AD: Ignore Foreign Security Principals in groups #7596
base: master
Are you sure you want to change the base?
Conversation
if (fspdn == NULL) { | ||
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to run talloc_asprintf\n"); | ||
return false; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
I would like to suggest to add a fspdn
member to struct sdap_domain
and add a struct sdap_domain *sdom
to struct sdap_nested_group_ctx
. With this you can set state->group_ctx->sdom
in sdap_nested_group_send()
. Now you can check here if group_ctx->sdom->fspdn
is NULL and if yes create it as above. If the fspdn
member is already set you can use it directly and avoid allocation it all the time.
bye,
Sumit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
Right, can do, but would not better to add this to sss_domain_info instead of sdap_domain struct?
Thanks,
Ondrej
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
sss_domain_info
is for generic domain settings while sdap_domain
contains LDAP specific settings, so imo sdap_domain
is the better place.
bye,
Sumit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
Can you give me a hint where I should initialize the new sdap_domain
member fspdn
as it looks a bit ugly to initialize it directly in function sdap_nested_member_is_fsp
, I'd rather do it in some generic sdom
initialization place. I tried in sdap_domain_add
but it does not work reliably.
Thanks,
Ondrej
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
imo it is completely fine to initialize it only when needed. Many LDAP environments, even Active Directory ones, might never need it, so just doing it in sdap_nested_member_is_fsp()
is ok.
bye,
Sumit
Currently, group enumeration fails when group contains Foreign security principals.
This code silently ignores them since we can't resolve these anyway (at least ATM).