[SSSD] [sssd PR#5771][synchronized] sdap: always create sdap object for a forest root

Tue, 21 Sep 2021 00:34:40 -0700 

   URL: https://github.com/SSSD/sssd/pull/5771
Author: sumit-bose
 Title: #5771: sdap: always create sdap object for a forest root
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5771/head:pr5771
git checkout pr5771

From 97f8b37d280b3dfce5a55f5821660c79d8ec5eac Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 31 Aug 2021 12:59:15 +0200
Subject: [PATCH] sdap: always create sdap object for a forest root

Even if the forest root is disabled for user and group lookups a sdap
object is needed to lookup trusted domains.

This already works if the forest root is discovered for the first time
at runtime. But if SSSD is restarted only the domain object but not the
sdap object is created.

Resolves: https://github.com/SSSD/sssd/issues/5770

:fixes: Even is the forest root is disabled for lookups all required
  internal data is initialized to be able to refresh the list of trusted
  domains in the forest from a DC of the forest root.
---
 src/providers/ldap/sdap_domain.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
index d384b2e4a0..fa6e9340de 100644
--- a/src/providers/ldap/sdap_domain.c
+++ b/src/providers/ldap/sdap_domain.c
@@ -132,9 +132,17 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx,
     struct sdap_domain *sdom, *sditer;
     errno_t ret;
 
-    for (dom = get_next_domain(parent, SSS_GND_DESCEND);
+    for (dom = get_next_domain(parent, SSS_GND_DESCEND|SSS_GND_INCLUDE_DISABLED);
          dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */
-         dom = get_next_domain(dom, 0)) {
+         dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
+
+        /* Always create sdap domain object for the forest root, even if it is
+         * disabled so that we can connect later to discover trusted domains
+         * in the forest. */
+        if (sss_domain_get_state(dom) == DOM_DISABLED
+                && !sss_domain_is_forest_root(dom)) {
+            continue;
+        }
 
         DLIST_FOR_EACH(sditer, sdom_list) {
             if (sditer->dom == dom) {

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to