81 lines
3.0 KiB
Diff
81 lines
3.0 KiB
Diff
|
From 9ff2e55000d146381db5f66575e40ada5ecaf0cf Mon Sep 17 00:00:00 2001
|
||
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
Date: Fri, 6 Sep 2024 14:37:05 +0200
|
||
|
Subject: [PATCH 11/15] ad: use default user_map when looking of host groups
|
||
|
for GPO
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
Use the default AD user attribute map to lookup the group membership of
|
||
|
the AD host object. This should help to avoid issues if user attributes
|
||
|
are overwritten in the user attribute map.
|
||
|
|
||
|
Resolves: https://github.com/SSSD/sssd/issues/7590
|
||
|
|
||
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||
|
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||
|
(cherry picked from commit 5f5077ac1158deff6fbb51722d37b9c5f8b05cf7)
|
||
|
(cherry picked from commit 2c233636c093708d5cdd7ddb69af9b0ecde633bd)
|
||
|
|
||
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||
|
---
|
||
|
src/providers/ad/ad_access.h | 1 +
|
||
|
src/providers/ad/ad_gpo.c | 15 ++++++++++++++-
|
||
|
2 files changed, 15 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h
|
||
|
index 34d5597da..c54b53eed 100644
|
||
|
--- a/src/providers/ad/ad_access.h
|
||
|
+++ b/src/providers/ad/ad_access.h
|
||
|
@@ -49,6 +49,7 @@ struct ad_access_ctx {
|
||
|
} gpo_map_type;
|
||
|
hash_table_t *gpo_map_options_table;
|
||
|
enum gpo_map_type gpo_default_right;
|
||
|
+ struct sdap_attr_map *host_attr_map;
|
||
|
};
|
||
|
|
||
|
struct tevent_req *
|
||
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||
|
index 69dd54f5b..4e2f06b0d 100644
|
||
|
--- a/src/providers/ad/ad_gpo.c
|
||
|
+++ b/src/providers/ad/ad_gpo.c
|
||
|
@@ -45,6 +45,7 @@
|
||
|
#include "providers/ad/ad_common.h"
|
||
|
#include "providers/ad/ad_domain_info.h"
|
||
|
#include "providers/ad/ad_gpo.h"
|
||
|
+#include "providers/ad/ad_opts.h"
|
||
|
#include "providers/ldap/sdap_access.h"
|
||
|
#include "providers/ldap/sdap_async.h"
|
||
|
#include "providers/ldap/sdap.h"
|
||
|
@@ -2238,13 +2239,25 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
||
|
"trying with user search base.");
|
||
|
}
|
||
|
|
||
|
+ if (state->access_ctx->host_attr_map == NULL) {
|
||
|
+ ret = sdap_copy_map(state->access_ctx,
|
||
|
+ ad_2008r2_user_map, SDAP_OPTS_USER,
|
||
|
+ &state->access_ctx->host_attr_map);
|
||
|
+ if (ret != EOK) {
|
||
|
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to copy user map.\n");
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
subreq = groups_by_user_send(state, state->ev,
|
||
|
state->access_ctx->ad_id_ctx->sdap_id_ctx,
|
||
|
sdom, state->conn,
|
||
|
search_bases,
|
||
|
state->host_fqdn,
|
||
|
BE_FILTER_NAME,
|
||
|
- NULL, NULL, 0,
|
||
|
+ NULL,
|
||
|
+ state->access_ctx->host_attr_map,
|
||
|
+ SDAP_OPTS_USER,
|
||
|
true,
|
||
|
true);
|
||
|
tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);
|
||
|
--
|
||
|
2.46.1
|
||
|
|