diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2014-05-22 14:50:24 +0000 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2014-05-22 14:50:24 +0000 |
| commit | 03e3cf9846bece4a38aa587d6864412235b8045b (patch) | |
| tree | 5e0887fa92a501387b22ed9b5dc42ae83d3c18a5 /winsup/cygwin/ldap.cc | |
| parent | ece6c8e3835be50c0d4807d6a4ab95135070e714 (diff) | |
| download | cygnal-03e3cf9846bece4a38aa587d6864412235b8045b.tar.gz cygnal-03e3cf9846bece4a38aa587d6864412235b8045b.tar.bz2 cygnal-03e3cf9846bece4a38aa587d6864412235b8045b.zip | |
* ldap.cc (cyg_ldap::fetch_ad_account): Take additional domain string
parameter. Convert into likely rootDSE string if not NULL, and use in
subsequent call to ldap_search_stW. Add comment to explain that this
is not the exactly correct solution.
* ldap.h (cyg_ldap::fetch_ad_account): Change prototype accordingly.
* uinfo.cc (pwdgrp::fetch_account_from_windows): Always use loc_ldap
in call to fetch_posix_offset to make sure we're fetchoinmg the posix
offsets from *our* domain controller. Only set domain variable to
non-NULL if the account is from a trusted domain. Use domain in call
to cyg_ldap::fetch_ad_account.
Diffstat (limited to 'winsup/cygwin/ldap.cc')
| -rw-r--r-- | winsup/cygwin/ldap.cc | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/winsup/cygwin/ldap.cc b/winsup/cygwin/ldap.cc index 8fde7c133..89f9b37f2 100644 --- a/winsup/cygwin/ldap.cc +++ b/winsup/cygwin/ldap.cc @@ -200,13 +200,14 @@ cyg_ldap::close () } bool -cyg_ldap::fetch_ad_account (PSID sid, bool group) +cyg_ldap::fetch_ad_account (PSID sid, bool group, PCWSTR domain) { - WCHAR filter[140], *f; + WCHAR filter[140], *f, *rdse = rootdse; LONG len = (LONG) RtlLengthSid (sid); PBYTE s = (PBYTE) sid; static WCHAR hex_wchars[] = L"0123456789abcdef"; ULONG ret; + tmp_pathbuf tp; if (msg) { @@ -226,17 +227,36 @@ cyg_ldap::fetch_ad_account (PSID sid, bool group) *f++ = hex_wchars[*s++ & 0xf]; } wcpcpy (f, L")"); + if (domain) + { + /* FIXME: This is a hack. The most correct solution is probably to + open a connection to the DC of the trusted domain. But this always + takes extra time, so we're trying to avoid it. If this results in + problems, we know what to do. */ + rdse = tp.w_get (); + PWCHAR r = rdse; + for (PWCHAR dotp = (PWCHAR) domain; dotp && *dotp; domain = dotp) + { + dotp = wcschr (domain, L'.'); + if (dotp) + *dotp++ = L'\0'; + if (r > rdse) + *r++ = L','; + r = wcpcpy (r, L"DC="); + r = wcpcpy (r, domain); + } + } attr = group ? group_attr : user_attr; - if ((ret = ldap_search_stW (lh, rootdse, LDAP_SCOPE_SUBTREE, filter, + if ((ret = ldap_search_stW (lh, rdse, LDAP_SCOPE_SUBTREE, filter, attr, 0, &tv, &msg)) != LDAP_SUCCESS) { debug_printf ("ldap_search_stW(%W,%W) error 0x%02x", - rootdse, filter, ret); + rdse, filter, ret); return false; } if (!(entry = ldap_first_entry (lh, msg))) { - debug_printf ("No entry for %W in rootdse %W", filter, rootdse); + debug_printf ("No entry for %W in rootdse %W", filter, rdse); return false; } return true; |