Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
LDAP: Resolve the primary group of a user during BE_REQ_USER in a hyb…
…rid domain Related: https://pagure.io/SSSD/sssd/issue/3822 In the hybrid domains, a real group must not shadow the autogenerated group. Therefore, considering a setup like this: user: { uid: 123, gid: 123 } group: { gid: 123} Calling getent group 123 must always return the user, not the group. This might be problematic in case the system called: getpwnam(user) getgrnam(user) or: getpwnam(user) getgrgid(123) In that case, SSSD can't return correct results without knowing if 123 resolves to a real group or if the getgrnam(user) call should fall back to the MPG entry. To solve this, this patch adds a new request to the user resolution. This request is only called in the hybrid domain and resolves the user's primary GID. Patching the initgroups request is not required because the initgroups request already calls groups_get_send() to get the primary group. In this case, calling groups_get_send() might be problematic, because the user request might already be called from the group request as a fallback which is supposed to find a MPG group. Instead of adding potentially complex logic to only recurse into the nested groups_get_send() in some cases, a new request is added.
- Loading branch information
Showing
5 changed files
with
300 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.