rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
90796e1d08
ipa/SOURCES/0038-sidgen-ignore-staged-users-when-generating-SIDs.patch
Eduard Abdullin 90796e1d08 - ipatests: restart ipa services after moving date 
- ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
- ipatests: Skip ds_encryption tests on RHEL9 SUT.
- adtrustinstance: make sure NetBIOS name defaults are set properly
- ipatests: wait for replica update in test_dns_locations
- ipapython: Clean up krb5_error
- ipapython: Correct return type of krb5_free_cred_contents
- ipapython: Propagate KRB5Error exceptions on iterating ccache
- ipa-kdb: Fix memory leak during PAC verification
- sidgen: ignore staged users when generating SIDs
- sidgen: fix missing prototypes
- kdb: PAC generator: do not fail if canonical principal is missing
- ipatests: fix tasks.wait_for_replication method
- ipa-kdb: Rework ipadb_reinit_mspac()
- ipa-kdb: Fix double free in ipadb_reinit_mspac()
2024-03-15 16:36:19 +03:00

81 lines
2.8 KiB
Diff
Raw Blame History

From d4008aece36569131b6e81192cc7d7dfa9f9af2b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Jan 31 2024 08:33:17 +0000
Subject: sidgen: ignore staged users when generating SIDs
Staged users have
uidNumber: -1
gidNumber: -1
ipaUniqueID: autogenerate
We cannot generate ipaSecurityIdentifier based on those UID/GID numbers.
However, '-1' value will trigger an error
find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large.
And that, in turn, will cause stopping SID generation for all users.
Detect 'ipaUniqueID: autogenerate' situation and ignore these entries.
Fixes: https://pagure.io/freeipa/issue/9517
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
---
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
index 0feff7e..bd46982 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
@@ -45,6 +45,8 @@
#define UID_NUMBER "uidnumber"
#define GID_NUMBER "gidnumber"
#define IPA_SID "ipantsecurityidentifier"
+#define IPA_UNIQUEID "ipauniqueid"
+#define IPA_UNIQUEID_AUTOGENERATE "autogenerate"
#define DOM_ATTRS_FILTER OBJECTCLASS"=ipantdomainattrs"
#define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange"
#define POSIX_ACCOUNT "posixaccount"
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
index 6f78480..cb763eb 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
uint32_t id;
char *sid = NULL;
char **objectclasses = NULL;
+ char *uniqueid = NULL;
Slapi_PBlock *mod_pb = NULL;
Slapi_Mods *smods = NULL;
int result;
@@ -479,6 +480,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
goto done;
}
+ uniqueid = slapi_entry_attr_get_charptr(entry, IPA_UNIQUEID);
+ if (uniqueid != NULL &&
+ strncmp(IPA_UNIQUEID_AUTOGENERATE, uniqueid,
+ sizeof(IPA_UNIQUEID_AUTOGENERATE)) == 0) {
+ LOG("Staged entry [%s] does not have Posix IDs, nothing to do.\n",
+ dn_str);
+ ret = 0;
+ goto done;
+ }
+
if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) {
LOG_FATAL("ID value too large.\n");
ret = LDAP_CONSTRAINT_VIOLATION;
@@ -554,6 +565,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
}
done:
+ slapi_ch_free_string(&uniqueid);
slapi_ch_free_string(&sid);
slapi_pblock_destroy(mod_pb);
slapi_mods_free(&smods);
Reference in New Issue View Git Blame Copy Permalink