717b817b82
- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance'
- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding
- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID.
- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled
47 lines
2.0 KiB
Diff
47 lines
2.0 KiB
Diff
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 25 Aug 2021 17:10:29 +0200
|
|
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
|
|
|
|
If a client sends a request to lookup an object from a given trusted
|
|
domain by UID or GID and an object with matching ID is only found in a
|
|
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
|
|
indicate to the client that the requested ID does not exists in the
|
|
given domain.
|
|
|
|
Resolves: https://pagure.io/freeipa/issue/8965
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
index 5d97ff6137d9d660f6121f468261c6878a9aa12a..6f646b9f49ef31e1872e87640c524db972e53b6d 100644
|
|
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
|
|
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
|
locat[0] = '\0';
|
|
} else {
|
|
- ret = LDAP_INVALID_SYNTAX;
|
|
+ /* The found object is from a different domain than requested,
|
|
+ * that means it does not exist in the requested domain */
|
|
+ ret = LDAP_NO_SUCH_OBJECT;
|
|
goto done;
|
|
}
|
|
}
|
|
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
|
|
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
|
locat[0] = '\0';
|
|
} else {
|
|
- ret = LDAP_INVALID_SYNTAX;
|
|
+ /* The found object is from a different domain than requested,
|
|
+ * that means it does not exist in the requested domain */
|
|
+ ret = LDAP_NO_SUCH_OBJECT;
|
|
goto done;
|
|
}
|
|
}
|
|
--
|
|
2.31.1
|
|
|