5ff7a76 sdap: improve filtering of multiple results in GC lookups

4 files Authored by sbose 8 years ago, Committed by jhrozek 8 years ago,
    sdap: improve filtering of multiple results in GC lookups
    
    The Global Catalog of AD contains some information about all users and
    groups in an AD forest. Users from different domain in the forest can
    have the same name. The most obvious example is the Administrator user
    which is present in all domains. Although SSSD uses a domain specific
    search base for looking up users in the GC the search might still return
    multiple results if there is a user with the same name in one of the
    child (or grand-child ...) domains because of the hierarchic nature of
    the LDAP tree. Limiting the search depth would not help because users
    can be created in deeply nested OUs.
    
    Currently SSSD expects in this case that the user object is store in
    CN=Users or below. This works for all default users like Administrator
    but in general users can be created anywhere in the directory tree. If a
    user is created outside of CN=Users and there is a user with the same
    name in a child domain the initgroups command to look up the
    group-memberships of the user fails because it is not clear which of the
    two results should be used (initgroups for the child domain user works
    fine).
    
    This patch adds an additional scheme to select the right result based on
    the domain component attribute name 'dc'. This attribute indicates an
    additional component in the domain name and hence a child domain. So as
    long as the result contains a dc component following out search base it
    cannot be the object we are looking for. This scheme includes the old
    CN=Users based one but since it is more expensive I kept the old scheme
    which so far worked all the time and only use the new one if the old one
    fails.
    
    Resolves https://fedorahosted.org/sssd/ticket/2961
    
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
    
        
file modified
+6 -0
file modified
+153 -0