From 16e2463e4f9ef93825b8f00f4ab1a1c9158eee82 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 9 Sep 2014 22:13:52 +0200
Subject: [PATCH 01/45] IPA: Use GC for group lookups in server mode

https://fedorahosted.org/sssd/ticket/2412

Even though AD trusts often work with POSIX attributes which are
normally not replicated to GC, our group lookups are smart since commit
008e1ee835602023891ac45408483d87f41e4d5c and look up the group itself using
the LDAP connection and only use the GC connection to look up the members.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit a20ce8cd43d72c89e2ea1d65aefe24ba270f040f)
---
 src/providers/ipa/ipa_subdomains_id.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 84a0bfe3d449a5035a7b2d52abfa78a651c37966..1089914030f5cae61edface413da9a4c790acc00 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -304,17 +304,21 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
     }
     sdap_id_ctx = ad_id_ctx->sdap_id_ctx;
 
-    /* Currently only LDAP port for AD is used because POSIX
-     * attributes are not replicated to GC by default
+    /* We read users and groups from GC. From groups, we may switch to
+     * using LDAP connection in the group request itself, but in order
+     * to resolve Universal group memberships, we also need the GC
+     * connection
      */
-
-    if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) {
+    switch (state->ar->entry_type & BE_REQ_TYPE_MASK) {
+    case BE_REQ_INITGROUPS:
+    case BE_REQ_GROUP:
         clist = ad_gc_conn_list(req, ad_id_ctx, state->user_dom);
         if (clist == NULL) {
             ret = ENOMEM;
             goto fail;
         }
-    } else {
+        break;
+    default:
         clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
         if (clist == NULL) {
             ret = ENOMEM;
-- 
2.4.3