AD: talk to GC first even for local domain objects

Related: https://fedorahosted.org/sssd/ticket/2070 Since we are recommending to configure the POSIX attributes so that they are replicated to the Global Catalog, we can start connecting to the GC by default even for local users. If the object is not matches in the GC, there is a possibility to fall back to LDAP.
SSSD · Sep 27, 2013 · 2a413fb · 2a413fb
1 parent 7830aea
commit 2a413fb
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
@@ -178,7 +178,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
               struct sss_domain_info *dom, struct be_acct_req *ar)
 {
     struct sdap_id_conn_ctx **clist;
-    int i=0;
 
     /* LDAP, GC, sentinel */
     clist = talloc_zero_array(breq, struct sdap_id_conn_ctx *, 3);
@@ -190,12 +189,18 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
     case BE_REQ_USER_AND_GROUP: /* get SID */
     case BE_REQ_GROUP: /* group */
     case BE_REQ_INITGROUPS: /* init groups for user */
-        if (ad_ctx->gc_ctx && IS_SUBDOMAIN(dom)) {
-            clist[i] = ad_ctx->gc_ctx;
-            i++;
-        } else {
-            clist[i] = ad_ctx->ldap_ctx;
+        /* Always try GC first */
+        clist[0] = ad_ctx->gc_ctx;
+        if (IS_SUBDOMAIN(dom) == true) {
+            /* Subdomain users are only present in GC. */
+            break;
         }
+
+        /* With root domain users we have the option to
+         * fall back to LDAP in case ie POSIX attributes
+         * are used but not replicated to GC
+         */
+        clist[1] = ad_ctx->ldap_ctx;
         break;
 
     default:

diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
@@ -25,6 +25,7 @@
 #include "providers/ldap/sdap_async.h"
 #include "providers/ad/ad_subdomains.h"
 #include "providers/ad/ad_domain_info.h"
+#include "providers/ldap/sdap_idmap.h"
 #include "util/util_sss_idmap.h"
 #include <ctype.h>
 #include <ndr.h>
@@ -108,6 +109,7 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx,
     struct ldb_message_element *el;
     char *sid_str;
     uint32_t trust_type;
+    bool mpg;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -158,9 +160,13 @@ ad_subdom_store(struct ad_subdomains_ctx *ctx,
         goto done;
     }
 
+    mpg = sdap_idmap_domain_has_algorithmic_mapping(
+                                             ctx->sdap_id_ctx->opts->idmap_ctx,
+                                             domain->domain_id);
+
     /* AD subdomains are currently all mpg and do not enumerate */
     ret = sysdb_subdomain_store(domain->sysdb, name, realm, flat, sid_str,
-                                true, false, NULL);
+                                mpg, false, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, ("sysdb_subdomain_store failed.\n"));
         goto done;