File 0005-LDAP-tokengroups_do_not_work_with_id_provider=ldap.patch of Package sssd.openSUSE_Leap_42.1_Update

From deb0cc874606db31f454531c03d381fe0de76bd6 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Tue, 17 Jun 2014 17:16:14 +0100
Subject: LDAP: tokengroups do not work with id_provider=ldap

With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.

if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.

Resolves:
https://fedorahosted.org/sssd/ticket/2345

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
---
 src/providers/ldap/sdap_async_groups.c        |  5 +-
 src/providers/ldap/sdap_async_initgroups_ad.c | 82 +++++++++++++++++++++++----
 src/util/domain_info_utils.c                  | 14 +++++
 src/util/util.h                               |  5 ++
 4 files changed, 93 insertions(+), 13 deletions(-)

Index: sssd-1.11.5.1/src/providers/ldap/sdap_async_groups.c
===================================================================
--- sssd-1.11.5.1.orig/src/providers/ldap/sdap_async_groups.c
+++ sssd-1.11.5.1/src/providers/ldap/sdap_async_groups.c
@@ -491,7 +491,8 @@ static int sdap_save_group(TALLOC_CTX *m
     /* If this object has a SID available, we will determine the correct
      * domain by its SID. */
     if (sid_str != NULL) {
-        subdomain = find_subdomain_by_sid(get_domains_head(dom), sid_str);
+        subdomain = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom),
+                                                        sid_str);
         if (subdomain) {
             dom = subdomain;
         } else {
@@ -515,7 +516,7 @@ static int sdap_save_group(TALLOC_CTX *m
             goto done;
         }
 
-        DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.",
+        DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.\n",
                                  group_name, ad_group_type));
         /* Only security groups from AD are considered for POSIX groups.
          * Additionally only global and universal group are taken to account
Index: sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c
===================================================================
--- sssd-1.11.5.1.orig/src/providers/ldap/sdap_async_initgroups_ad.c
+++ sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -608,7 +608,9 @@ static errno_t sdap_ad_resolve_sids_step
         }
         state->index++;
 
-        domain = find_subdomain_by_sid(state->domain, state->current_sid);
+        domain = sss_get_domain_by_sid_ldap_fallback(state->domain,
+                                                     state->current_sid);
+
         if (domain == NULL) {
             DEBUG(SSSDBG_MINOR_FAILURE, ("SID %s does not belong to any known "
                                          "domain\n", state->current_sid));
@@ -698,6 +700,15 @@ struct sdap_ad_tokengroups_initgr_mappin
 static void
 sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq);
 static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq);
+static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx,
+                                  struct tevent_context *ev,
+                                  struct sdap_options *opts,
+                                  const char *orig_dn,
+                                  int timeout,
+                                  const char *username,
+                                  struct sdap_handle *sh,
+                                  struct tevent_req *req,
+                                  tevent_req_fn callback);
 
 static struct tevent_req *
 sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx,
@@ -740,11 +751,18 @@ sdap_ad_tokengroups_initgr_mapping_send(
 
     sdom = sdap_domain_get(opts, domain);
     if (sdom == NULL || sdom->pvt == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n",
-                                    domain->name));
-        ret = EINVAL;
-        goto immediately;
+        ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout,
+                                 state->username, sh, req,
+                                 sdap_ad_tokengroups_initgr_mapping_done);
+        if (ret == EOK) {
+            return req;
+        } else {
+            DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n",
+                  domain->name));
+            goto immediately;
+        }
     }
+
     subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
     state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache);
     if (!state->op) {
@@ -879,7 +897,7 @@ static void sdap_ad_tokengroups_initgr_m
             continue;
         }
 
-        domain = find_subdomain_by_sid(get_domains_head(state->domain), sid);
+        domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid);
         if (domain == NULL) {
             DEBUG(SSSDBG_MINOR_FAILURE, ("Domain not found for SID %s\n", sid));
             continue;
@@ -1036,10 +1054,16 @@ sdap_ad_tokengroups_initgr_posix_send(TA
 
     sdom = sdap_domain_get(opts, domain);
     if (sdom == NULL || sdom->pvt == NULL) {
-        DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n",
-                                    domain->name));
-        ret = EINVAL;
-        goto immediately;
+        ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout,
+                                 state->username, sh, req,
+                                 sdap_ad_tokengroups_initgr_posix_tg_done);
+        if (ret == EOK) {
+            return req;
+        } else {
+            DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n",
+                  domain->name));
+            goto immediately;
+        }
     }
     subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
     state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache);
@@ -1169,7 +1193,7 @@ sdap_ad_tokengroups_initgr_posix_tg_done
         sid = sids[i];
         DEBUG(SSSDBG_TRACE_LIBS, ("Processing membership SID [%s]\n", sid));
 
-        domain = find_subdomain_by_sid(get_domains_head(state->domain), sid);
+        domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid);
         if (domain == NULL) {
             DEBUG(SSSDBG_MINOR_FAILURE, ("Domain not found for SID %s\n", sid));
             continue;
@@ -1387,3 +1411,39 @@ errno_t sdap_ad_tokengroups_initgroups_r
 
     return EOK;
 }
+
+static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx,
+                                  struct tevent_context *ev,
+                                  struct sdap_options *opts,
+                                  const char *orig_dn,
+                                  int timeout,
+                                  const char *username,
+                                  struct sdap_handle *sh,
+                                  struct tevent_req *req,
+                                  tevent_req_fn callback)
+{
+    struct tevent_req *subreq = NULL;
+    errno_t ret;
+
+    if (sh != NULL) {
+        /*  plain LDAP provider already has a sdap_handle */
+        subreq = sdap_get_ad_tokengroups_send(mem_ctx, ev, opts, sh, username,
+                                              orig_dn, timeout);
+        if (subreq == NULL) {
+            ret = ENOMEM;
+            tevent_req_error(req, ret);
+            goto done;
+        }
+
+        tevent_req_set_callback(subreq, callback, req);
+        ret = EOK;
+        goto done;
+
+    } else {
+        ret = EINVAL;
+        goto done;
+    }
+
+done:
+    return ret;
+}
Index: sssd-1.11.5.1/src/util/domain_info_utils.c
===================================================================
--- sssd-1.11.5.1.orig/src/util/domain_info_utils.c
+++ sssd-1.11.5.1/src/util/domain_info_utils.c
@@ -149,6 +149,20 @@ struct sss_domain_info *find_subdomain_b
     return NULL;
 }
 
+struct sss_domain_info*
+sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,
+                                    const char* sid)
+{
+    /* LDAP provider doesn't know about sub-domains and hence can only
+     * have one configured domain
+     */
+    if (strcmp(domain->provider, "ldap") == 0) {
+        return domain;
+    } else {
+        return find_subdomain_by_sid(get_domains_head(domain), sid);
+    }
+}
+
 struct sss_domain_info *
 find_subdomain_by_object_name(struct sss_domain_info *domain,
                               const char *object_name)
Index: sssd-1.11.5.1/src/util/util.h
===================================================================
--- sssd-1.11.5.1.orig/src/util/util.h
+++ sssd-1.11.5.1/src/util/util.h
@@ -556,6 +556,11 @@ struct sss_domain_info *find_subdomain_b
                                                bool match_any);
 struct sss_domain_info *find_subdomain_by_sid(struct sss_domain_info *domain,
                                               const char *sid);
+
+struct sss_domain_info*
+sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,
+                                    const char* sid);
+
 struct sss_domain_info *
 find_subdomain_by_object_name(struct sss_domain_info *domain,
                               const char *object_name);