rpms/sssd
5
0
Fork 0
Code Issues Pull Requests Releases Activity
f55e235d75
sssd/0072-ipa-check-for-SYSDB_OVERRIDE_DN-in-process_members-a.patch

254 lines
11 KiB
Diff
Raw Normal View History

Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system Backport few upstream features from 1.16.1
2017-12-04 20:33:29 +00:00
From afa3e5d8401c529dad9fb6f2e3a3f4c2aa79a977 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:12:58 +0100
Subject: [PATCH 72/79] ipa: check for SYSDB_OVERRIDE_DN in process_members and
get_group_dn_list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
process_members() and get_group_dn_list() are used on an IPA client to
determine a list of users or groups which are missing in the cache and
are needed to properly add a group or user object to the cache
respectively.
If a non-default view is assigned to the client the SYSDB_OVERRIDE_DN
must be set for all user and group objects to indicate that it was
already checked if there is an id-override defined for the object or
not. There a circumstances were SYSDB_OVERRIDE_DN is not set, e.g. after
a view name change. To make sure the cache is in a consistent state with
this patch user and group entries without SYSDB_OVERRIDE_DN are
considered as missing is a non-default view is assigned to the client.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++-----------------
1 file changed, 83 insertions(+), 62 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 39ed17cbf0e8c523212084197e9f2963fed88dc8..c6132f509dcc8e7af84e03e8bfe20701107d1392 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1523,6 +1523,7 @@ fail:
}
static errno_t process_members(struct sss_domain_info *domain,
+ bool is_default_view,
struct sysdb_attrs *group_attrs,
char **members,
TALLOC_CTX *mem_ctx, char ***_missing_members)
@@ -1536,6 +1537,7 @@ static errno_t process_members(struct sss_domain_info *domain,
struct sss_domain_info *parent_domain;
char **missing_members = NULL;
size_t miss_count = 0;
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
if (members == NULL) {
DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
@@ -1572,53 +1574,59 @@ static errno_t process_members(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], NULL,
+ ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,
&msg);
- if (ret == EOK) {
- if (group_attrs != NULL) {
- dn_str = ldb_dn_get_linearized(msg->dn);
- if (dn_str == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
- ret = EINVAL;
- goto done;
- }
-
- DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
- members[c], dn_str);
+ if (ret == EOK || ret == ENOENT) {
+ if (ret == ENOENT
+ || (!is_default_view
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
+ NULL) == NULL)) {
+ /* only add ghost if the member is really missing */
+ if (group_attrs != NULL && ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
+ members[c]);
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
- dn_str);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sysdb_attrs_add_string_safe failed.\n");
- goto done;
+ /* There were cases where the server returned the same user
+ * multiple times */
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
+ members[c]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_string failed.\n");
+ goto done;
+ }
}
- }
- } else if (ret == ENOENT) {
- if (group_attrs != NULL) {
- DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
- members[c]);
- /* There were cases where the server returned the same user
- * multiple times */
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
- members[c]);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sysdb_attrs_add_string failed.\n");
- goto done;
+ if (missing_members != NULL) {
+ missing_members[miss_count] = talloc_strdup(missing_members,
+ members[c]);
+ if (missing_members[miss_count] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ miss_count++;
}
- }
+ } else {
+ if (group_attrs != NULL) {
+ dn_str = ldb_dn_get_linearized(msg->dn);
+ if (dn_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
+ members[c], dn_str);
- if (missing_members != NULL) {
- missing_members[miss_count] = talloc_strdup(missing_members,
- members[c]);
- if (missing_members[miss_count] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
+ dn_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_string_safe failed.\n");
+ goto done;
+ }
}
- miss_count++;
}
} else {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
@@ -1649,6 +1657,7 @@ done:
}
static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
+ bool is_default_view,
struct sss_domain_info *dom,
size_t ngroups, char **groups,
struct ldb_dn ***_dn_list,
@@ -1664,6 +1673,7 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
size_t n_missing = 0;
struct sss_domain_info *obj_domain;
struct sss_domain_info *parent_domain;
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -1689,25 +1699,31 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
goto done;
}
- ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], NULL,
+ ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], attrs,
&msg);
- if (ret == EOK) {
- dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
- if (dn_list[n_dns] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
- ret = ENOMEM;
- goto done;
+ if (ret == EOK || ret == ENOENT) {
+ if (ret == ENOENT
+ || (!is_default_view
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
+ NULL) == NULL)) {
+ missing_groups[n_missing] = talloc_strdup(missing_groups,
+ groups[c]);
+ if (missing_groups[n_missing] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ n_missing++;
+
+ } else {
+ dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
+ if (dn_list[n_dns] == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ n_dns++;
}
- n_dns++;
- } else if (ret == ENOENT) {
- missing_groups[n_missing] = talloc_strdup(missing_groups,
- groups[c]);
- if (missing_groups[n_missing] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
- ret = ENOMEM;
- goto done;
- }
- n_missing++;
} else {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_group_by_name failed.\n");
goto done;
@@ -1803,7 +1819,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
}
- ret = get_group_dn_list(state, state->dom,
+ ret = get_group_dn_list(state,
+ is_default_view(state->ipa_ctx->view_name),
+ state->dom,
attrs->ngroups, attrs->groups,
&group_dn_list, &missing_list);
if (ret != EOK) {
@@ -1832,8 +1850,10 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
}
break;
} else if (attrs->response_type == RESP_GROUP_MEMBERS) {
- ret = process_members(state->dom, NULL, attrs->a.group.gr_mem,
- state, &missing_list);
+ ret = process_members(state->dom,
+ is_default_view(state->ipa_ctx->view_name),
+ NULL, attrs->a.group.gr_mem, state,
+ &missing_list);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
goto done;
@@ -2572,8 +2592,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
}
}
- ret = process_members(dom, attrs->sysdb_attrs,
- attrs->a.group.gr_mem, NULL, NULL);
+ ret = process_members(dom, is_default_view(view_name),
+ attrs->sysdb_attrs, attrs->a.group.gr_mem,
+ NULL, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
goto done;
--
2.15.1
Reference in New Issue Copy Permalink