Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
sssd.1801
0005-LDAP-tokengroups_do_not_work_with_id_provi...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0005-LDAP-tokengroups_do_not_work_with_id_provider=ldap.patch of Package sssd.1801
From deb0cc874606db31f454531c03d381fe0de76bd6 Mon Sep 17 00:00:00 2001 From: Pavel Reichl <preichl@redhat.com> Date: Tue, 17 Jun 2014 17:16:14 +0100 Subject: LDAP: tokengroups do not work with id_provider=ldap With plain LDAP provider we already have a sdap_handle, so it should be possible that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be skipped and sdap_get_ad_tokengroups_send() can be already send with the sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should only fail if sdom->pvt == NULL and sh == NULL. if find_subdomain_by_sid() failed we can check if there is only one domain in the domain list (state->domain) and in this case continue with this domain since the LDAP provider does not know about sub-domains and hence can only have one configured domain. Resolves: https://fedorahosted.org/sssd/ticket/2345 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252) --- src/providers/ldap/sdap_async_groups.c | 5 +- src/providers/ldap/sdap_async_initgroups_ad.c | 82 +++++++++++++++++++++++---- src/util/domain_info_utils.c | 14 +++++ src/util/util.h | 5 ++ 4 files changed, 93 insertions(+), 13 deletions(-) Index: sssd-1.11.5.1/src/providers/ldap/sdap_async_groups.c =================================================================== --- sssd-1.11.5.1.orig/src/providers/ldap/sdap_async_groups.c +++ sssd-1.11.5.1/src/providers/ldap/sdap_async_groups.c @@ -491,7 +491,8 @@ static int sdap_save_group(TALLOC_CTX *m /* If this object has a SID available, we will determine the correct * domain by its SID. */ if (sid_str != NULL) { - subdomain = find_subdomain_by_sid(get_domains_head(dom), sid_str); + subdomain = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom), + sid_str); if (subdomain) { dom = subdomain; } else { @@ -515,7 +516,7 @@ static int sdap_save_group(TALLOC_CTX *m goto done; } - DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.", + DEBUG(SSSDBG_TRACE_ALL, ("AD group [%s] has type flags %#x.\n", group_name, ad_group_type)); /* Only security groups from AD are considered for POSIX groups. * Additionally only global and universal group are taken to account Index: sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c =================================================================== --- sssd-1.11.5.1.orig/src/providers/ldap/sdap_async_initgroups_ad.c +++ sssd-1.11.5.1/src/providers/ldap/sdap_async_initgroups_ad.c @@ -608,7 +608,9 @@ static errno_t sdap_ad_resolve_sids_step } state->index++; - domain = find_subdomain_by_sid(state->domain, state->current_sid); + domain = sss_get_domain_by_sid_ldap_fallback(state->domain, + state->current_sid); + if (domain == NULL) { DEBUG(SSSDBG_MINOR_FAILURE, ("SID %s does not belong to any known " "domain\n", state->current_sid)); @@ -698,6 +700,15 @@ struct sdap_ad_tokengroups_initgr_mappin static void sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq); static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq); +static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *orig_dn, + int timeout, + const char *username, + struct sdap_handle *sh, + struct tevent_req *req, + tevent_req_fn callback); static struct tevent_req * sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx, @@ -740,11 +751,18 @@ sdap_ad_tokengroups_initgr_mapping_send( sdom = sdap_domain_get(opts, domain); if (sdom == NULL || sdom->pvt == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", - domain->name)); - ret = EINVAL; - goto immediately; + ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout, + state->username, sh, req, + sdap_ad_tokengroups_initgr_mapping_done); + if (ret == EOK) { + return req; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", + domain->name)); + goto immediately; + } } + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); if (!state->op) { @@ -879,7 +897,7 @@ static void sdap_ad_tokengroups_initgr_m continue; } - domain = find_subdomain_by_sid(get_domains_head(state->domain), sid); + domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid); if (domain == NULL) { DEBUG(SSSDBG_MINOR_FAILURE, ("Domain not found for SID %s\n", sid)); continue; @@ -1036,10 +1054,16 @@ sdap_ad_tokengroups_initgr_posix_send(TA sdom = sdap_domain_get(opts, domain); if (sdom == NULL || sdom->pvt == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", - domain->name)); - ret = EINVAL; - goto immediately; + ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout, + state->username, sh, req, + sdap_ad_tokengroups_initgr_posix_tg_done); + if (ret == EOK) { + return req; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", + domain->name)); + goto immediately; + } } subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); @@ -1169,7 +1193,7 @@ sdap_ad_tokengroups_initgr_posix_tg_done sid = sids[i]; DEBUG(SSSDBG_TRACE_LIBS, ("Processing membership SID [%s]\n", sid)); - domain = find_subdomain_by_sid(get_domains_head(state->domain), sid); + domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid); if (domain == NULL) { DEBUG(SSSDBG_MINOR_FAILURE, ("Domain not found for SID %s\n", sid)); continue; @@ -1387,3 +1411,39 @@ errno_t sdap_ad_tokengroups_initgroups_r return EOK; } + +static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *orig_dn, + int timeout, + const char *username, + struct sdap_handle *sh, + struct tevent_req *req, + tevent_req_fn callback) +{ + struct tevent_req *subreq = NULL; + errno_t ret; + + if (sh != NULL) { + /* plain LDAP provider already has a sdap_handle */ + subreq = sdap_get_ad_tokengroups_send(mem_ctx, ev, opts, sh, username, + orig_dn, timeout); + if (subreq == NULL) { + ret = ENOMEM; + tevent_req_error(req, ret); + goto done; + } + + tevent_req_set_callback(subreq, callback, req); + ret = EOK; + goto done; + + } else { + ret = EINVAL; + goto done; + } + +done: + return ret; +} Index: sssd-1.11.5.1/src/util/domain_info_utils.c =================================================================== --- sssd-1.11.5.1.orig/src/util/domain_info_utils.c +++ sssd-1.11.5.1/src/util/domain_info_utils.c @@ -149,6 +149,20 @@ struct sss_domain_info *find_subdomain_b return NULL; } +struct sss_domain_info* +sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain, + const char* sid) +{ + /* LDAP provider doesn't know about sub-domains and hence can only + * have one configured domain + */ + if (strcmp(domain->provider, "ldap") == 0) { + return domain; + } else { + return find_subdomain_by_sid(get_domains_head(domain), sid); + } +} + struct sss_domain_info * find_subdomain_by_object_name(struct sss_domain_info *domain, const char *object_name) Index: sssd-1.11.5.1/src/util/util.h =================================================================== --- sssd-1.11.5.1.orig/src/util/util.h +++ sssd-1.11.5.1/src/util/util.h @@ -556,6 +556,11 @@ struct sss_domain_info *find_subdomain_b bool match_any); struct sss_domain_info *find_subdomain_by_sid(struct sss_domain_info *domain, const char *sid); + +struct sss_domain_info* +sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain, + const char* sid); + struct sss_domain_info * find_subdomain_by_object_name(struct sss_domain_info *domain, const char *object_name);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor