URL: https://github.com/SSSD/sssd/pull/179
Author: jhrozek
Title: #179: Search UPN only in the given domain
Action: opened
PR body:
"""
We were searching UPNs in the whole sysdb, which made cache_req think the
result came in from the domain it was searching.
The bug manifested when a user from a trusted domain was looked by UPN, then
cache_req searched the main domain, the result from subdomain was considered
as coming from the main domain and as a result, the getpwnam() output was
not qualified. That is a problem, because PAM applications often sanitize
the user with getpwnam, so effectively a login with UPN was shortened to
just a shortname and failed.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/179/head:pr179
git checkout pr179
From 00c7c1446fcafdff17a032a98b53410a1dbf8894 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 2 Mar 2017 17:54:46 +0100
Subject: [PATCH] SYSDB: Only search the given domain for UPNs
---
src/db/sysdb_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 7f6c127..ada5dd5 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -555,7 +555,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
goto done;
}
- base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx);
+ base_dn = sysdb_user_base_dn(tmp_ctx, domain);
if (base_dn == NULL) {
ret = ENOMEM;
goto done;
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
