rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
18ae44bc79
sssd/0073-IPA-use-cache-searches-in-get_groups_dns.patch

70 lines
3.0 KiB
Diff
Raw Normal View History

Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system Backport few upstream features from 1.16.1
2017-12-04 20:33:29 +00:00
From d1d62630e1d1c6a88fe4bf8612cb4f9a2fff7181 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:41:29 +0100
Subject: [PATCH 73/79] IPA: use cache searches in get_groups_dns()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the group name is overridden in the default view we have to search
for the name and cannot construct it because the extdom plugin will
return the overridden name but the DN of the related group object in the
cache will contain the original name.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index c6132f509dcc8e7af84e03e8bfe20701107d1392..49c393e9a1eb19ab683949cf633a6838274bc0fe 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2038,6 +2038,7 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
int c;
struct sss_domain_info *root_domain;
char **dn_list;
+ struct ldb_message *msg;
if (name_list == NULL) {
*_dn_list = NULL;
@@ -2082,15 +2083,25 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
goto done;
}
- /* This might fail if some unexpected cases are used. But current
- * sysdb code which handles group membership constructs DNs this way
- * as well, IPA names are lowercased and AD names by default will be
- * lowercased as well. If there are really use-cases which cause an
- * issue here, sysdb_group_strdn() has to be replaced by a proper
- * search. */
- dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ /* If the group name is overridden in the default view we have to
+ * search for the name and cannot construct it because the extdom
+ * plugin will return the overridden name but the DN of the related
+ * group object in the cache will contain the original name. */
+
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL,
+ &msg);
+ if (ret == EOK) {
+ dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn);
+ } else {
+ /* best effort, try to construct the DN */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "sysdb_search_group_by_name failed with [%d], "
+ "generating DN for [%s] in domain [%s].\n",
+ ret, name_list[c], dom->name);
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ }
if (dn_list[c] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n");
ret = ENOMEM;
goto done;
}
--
2.15.1
Reference in New Issue Copy Permalink