#3847 gpo: use correct base dn
Opened 2 months ago by pbrezina. Modified 2 months ago

GPO code in ad_gpo_connect_done converts domain name to base dn which may not be correct. For example if the domain name in sssd.conf is AD, computed base is then dc=AD, but the correct base dn is dc=ad,dc=vm. This makes gpo code to fail.

    /* Convert the domain name into domain DN */
    ret = domain_to_basedn(state, state->host_domain->name, &domain_dn);
    if (ret != EOK) {
        DEBUG(SSSDBG_OP_FAILURE,
              "Cannot convert domain name [%s] to base DN [%d]: %s\n",
               state->host_domain->name, ret, sss_strerror(ret));
        goto done;
    }

    /* SDAP_OC_USER objectclass covers both users and computers */
    filter = talloc_asprintf(state,
                             "(&(objectclass=%s)(%s=%s))",
                             state->opts->user_map[SDAP_OC_USER].name,
                             state->opts->user_map[SDAP_AT_USER_NAME].name,
                             sam_account_name);
    if (filter == NULL) {
        ret = ENOMEM;
        goto done;
    }

    subreq = sdap_get_generic_send(state, state->ev, state->opts,
                                   sdap_id_op_handle(state->sdap_op),
                                   domain_dn, LDAP_SCOPE_SUBTREE,
^^^ correct base dn should be used
                                   filter, attrs, NULL, 0,
                                   state->timeout,
                                   false);

    if (subreq == NULL) {
        DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
        ret = EIO;
        goto done;
    }

    tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req);

Metadata Update from @jhrozek:
- Issue assigned to mzidek

2 months ago

Login to comment on this ticket.

Metadata