AD: Ignore Foreign Security Principals in groups #7596
Conversation
| if (fspdn == NULL) { | ||
| DEBUG(SSSDBG_CRIT_FAILURE, "Unable to run talloc_asprintf\n"); | ||
| return false; | ||
| } |
There was a problem hiding this comment.
Hi,
I would like to suggest to add a fspdn member to struct sdap_domain and add a struct sdap_domain *sdom to struct sdap_nested_group_ctx. With this you can set state->group_ctx->sdom in sdap_nested_group_send(). Now you can check here if group_ctx->sdom->fspdn is NULL and if yes create it as above. If the fspdn member is already set you can use it directly and avoid allocation it all the time.
bye,
Sumit
There was a problem hiding this comment.
Hi,
Right, can do, but would not better to add this to sss_domain_info instead of sdap_domain struct?
Thanks,
Ondrej
There was a problem hiding this comment.
Hi,
sss_domain_info is for generic domain settings while sdap_domain contains LDAP specific settings, so imo sdap_domain is the better place.
bye,
Sumit
There was a problem hiding this comment.
Hi,
Can you give me a hint where I should initialize the new sdap_domain member fspdn as it looks a bit ugly to initialize it directly in function sdap_nested_member_is_fsp, I'd rather do it in some generic sdom initialization place. I tried in sdap_domain_add but it does not work reliably.
Thanks,
Ondrej
There was a problem hiding this comment.
Hi,
imo it is completely fine to initialize it only when needed. Many LDAP environments, even Active Directory ones, might never need it, so just doing it in sdap_nested_member_is_fsp() is ok.
bye,
Sumit
Currently, group enumeration fails when group contains Foreign security principals.
This code silently ignores them since we can't resolve these anyway (at least ATM).