>From 9270a1b7b4ba37f9851acc8b5333ea26a26c7e20 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 12 Jul 2013 17:57:01 +0200
Subject: [PATCH] LDAP: When resolving a SID, search for groups first, then
 users

https://fedorahosted.org/sssd/ticket/1997

Most of the time, the SIDs are resolved as a call coming from the PAC
responder during initgroups. In that case at least, it makes sense to
search for group matching that SID first, then users.

We may consider making this behaviour configurable ie for the server
mode where typically the users should be queried first.
---
 src/providers/ldap/ldap_id.c | 101 +++++++++++++++++++++----------------------
 1 file changed, 50 insertions(+), 51 deletions(-)

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index addb2f3cbc8e032703b8a3b3daba3b28548ba11a..edf5106fa78b2695cb1080e8f40cc872491c4211 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -1452,64 +1452,24 @@ static struct tevent_req *get_user_and_group_send(TALLOC_CTX *memctx,
     state->filter_type = filter_type;
     state->attrs_type = attrs_type;
 
-    subreq = users_get_send(req, state->ev, state->id_ctx,
-                            state->sdom, state->conn,
-                            state->filter_val, state->filter_type,
-                            state->attrs_type, NULL);
-    if (subreq == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, ("users_get_send failed.\n"));
-        ret = ENOMEM;
-        goto fail;
-    }
-
-    tevent_req_set_callback(subreq, get_user_and_group_users_done, req);
-
-    return req;
-
-fail:
-    tevent_req_error(req, ret);
-    tevent_req_post(req, ev);
-    return req;
-}
-
-static void get_user_and_group_users_done(struct tevent_req *subreq)
-{
-    struct tevent_req *req = tevent_req_callback_data(subreq,
-                                                      struct tevent_req);
-    struct get_user_and_group_state *state = tevent_req_data(req,
-                                               struct get_user_and_group_state);
-    int ret;
-
-    ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret);
-    talloc_zfree(subreq);
-
-    if (ret != EOK) {           /* Fatal error while looking up user */
-        tevent_req_error(req, ret);
-        return;
-    }
-
-    if (state->sdap_ret == EOK) {   /* Matching user found */
-        tevent_req_done(req);
-        return;
-    } else if (state->sdap_ret != ENOENT) {
-        tevent_req_error(req, EIO);
-        return;
-    }
-
-    /* Now the search finished fine but did not find an entry.
-     * Retry with groups. */
-
     subreq = groups_get_send(req, state->ev, state->id_ctx,
                              state->sdom, state->conn,
                              state->filter_val, state->filter_type,
                              state->attrs_type, state->noexist_delete);
     if (subreq == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, ("groups_get_send failed.\n"));
-        tevent_req_error(req, ENOMEM);
-        return;
+        DEBUG(SSSDBG_OP_FAILURE, ("users_get_send failed.\n"));
+        ret = ENOMEM;
+        goto fail;
     }
 
     tevent_req_set_callback(subreq, get_user_and_group_groups_done, req);
+
+    return req;
+
+fail:
+    tevent_req_error(req, ret);
+    tevent_req_post(req, ev);
+    return req;
 }
 
 static void get_user_and_group_groups_done(struct tevent_req *subreq)
@@ -1523,7 +1483,46 @@ static void get_user_and_group_groups_done(struct tevent_req *subreq)
     ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret);
     talloc_zfree(subreq);
 
-    if (ret == EOK) { /* Matching group found */
+    if (ret != EOK) {           /* Fatal error while looking up group */
+        tevent_req_error(req, ret);
+        return;
+    }
+
+    if (state->sdap_ret == EOK) {   /* Matching group found */
+        tevent_req_done(req);
+        return;
+    } else if (state->sdap_ret != ENOENT) {
+        tevent_req_error(req, EIO);
+        return;
+    }
+
+    /* Now the search finished fine but did not find an entry.
+     * Retry with users. */
+    subreq = users_get_send(req, state->ev, state->id_ctx,
+                            state->sdom, state->conn,
+                            state->filter_val, state->filter_type,
+                            state->attrs_type, state->noexist_delete);
+    if (subreq == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, ("groups_get_send failed.\n"));
+        tevent_req_error(req, ENOMEM);
+        return;
+    }
+
+    tevent_req_set_callback(subreq, get_user_and_group_users_done, req);
+}
+
+static void get_user_and_group_users_done(struct tevent_req *subreq)
+{
+    struct tevent_req *req = tevent_req_callback_data(subreq,
+                                                      struct tevent_req);
+    struct get_user_and_group_state *state = tevent_req_data(req,
+                                               struct get_user_and_group_state);
+    int ret;
+
+    ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret);
+    talloc_zfree(subreq);
+
+    if (ret == EOK) { /* Matching user found */
         tevent_req_done(req);
     } else {
         tevent_req_error(req, ret);
-- 
1.8.3.1