From 3937736546e2a4b7cccc58fded3efdff9ae690fc Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Nov 05 2014 14:04:05 +0000
Subject: IPA: use ipaUserGroup object class for groups


dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class
of IPA groups from posixGroups to more general groupOfNames.
However, this object class is used also for roles, permissions and
privileges which caused SSSD to consider those objects to be groups as
well during initgroups.

Resolves:
https://fedorahosted.org/sssd/ticket/2471

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 4785e01..0e0eed4 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -205,7 +205,7 @@ struct sdap_attr_map ipa_user_map[] = {
 };
 
 struct sdap_attr_map ipa_group_map[] = {
-    { "ldap_group_object_class", "groupOfNames", SYSDB_GROUP_CLASS, NULL },
+    { "ldap_group_object_class", "ipaUserGroup", SYSDB_GROUP_CLASS, NULL },
     { "ldap_group_object_class_alt", "posixGroup", SYSDB_GROUP_CLASS, NULL },
     { "ldap_group_name", "cn", SYSDB_NAME, NULL },
     { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL },