From 89e56266a17661d6219107912b4501fbb1071bf2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 21 Dec 2015 15:51:09 +0100
Subject: [PATCH] ldap: remove originalMeberOf if there is no memberOf

Since originalMemerberOf is not mapped directly to an original attribute
and is handled specially it is not automatically removed if there is no
memberOf in the original object anymore. This patch put
originalMemerberOf on the list of attribute which should be removed in
that case.

Resolves https://fedorahosted.org/sssd/ticket/2917
---
 src/providers/ipa/ipa_s2n_exop.c | 12 +++++++++++-
 src/providers/ldap/ldap_common.c |  8 +++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index d101a437dfaf2829013f9e3e3705a7161c654d78..1d233cd52c18b4b6ed753bd92d186ac02ed2cb80 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1764,6 +1764,8 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
     struct sysdb_attrs *gid_override_attrs = NULL;
     char ** exop_grouplist;
     struct ldb_message *msg;
+    struct ldb_message_element *el = NULL;
+    const char *missing[] = {NULL, NULL};
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -1993,6 +1995,12 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
                 }
             }
 
+            ret = sysdb_attrs_get_el_ext(attrs->sysdb_attrs,
+                                         SYSDB_ORIG_MEMBEROF, false, &el);
+            if (ret == ENOENT) {
+                missing[0] = SYSDB_ORIG_MEMBEROF;
+            }
+
             ret = sysdb_transaction_start(dom->sysdb);
             if (ret != EOK) {
                 DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
@@ -2004,7 +2012,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
                                    attrs->a.user.pw_uid,
                                    gid, attrs->a.user.pw_gecos,
                                    attrs->a.user.pw_dir, attrs->a.user.pw_shell,
-                                   NULL, attrs->sysdb_attrs, NULL,
+                                   NULL, attrs->sysdb_attrs,
+                                   missing[0] == NULL ? NULL
+                                                      : discard_const(missing),
                                    dom->user_timeout, now);
             if (ret == EEXIST && dom->mpg == true) {
                 /* This handles the case where getgrgid() was called for
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 35de9c0a7929990fbf7a7a194fac3c8e0c9c31f2..27b62a6354229bc2016c323e16c940280f6f791a 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -780,7 +780,7 @@ errno_t list_missing_attrs(TALLOC_CTX *mem_ctx,
     /* Allocate the maximum possible values for missing_attrs, to
      * be on the safe side
      */
-    missing = talloc_array(tmp_ctx, char *, attr_count);
+    missing = talloc_array(tmp_ctx, char *, attr_count + 2);
     if (!missing) {
         ret = ENOMEM;
         goto done;
@@ -831,6 +831,12 @@ errno_t list_missing_attrs(TALLOC_CTX *mem_ctx,
             /* Attribute could not be found. Add to the missing list */
             missing[k] = talloc_steal(missing, sysdb_name);
             k++;
+
+            /* Remove originalMemberOf as well if MemberOf is missing */
+            if (strcmp(sysdb_name, SYSDB_MEMBEROF) == 0) {
+                missing[k] = talloc_strdup(missing, SYSDB_ORIG_MEMBEROF);
+                k++;
+            }
         }
     }
 
-- 
2.1.0