rpms/sssd
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport several patches from upstream.

Browse Source 
- Fix a potential crash against old (pre-4.0) IPA servers
This commit is contained in:
Jakub Hrozek 2014-10-22 13:09:58 +02:00
parent 1caa247c9e
commit 3161db3512
5 changed files with 225 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch Normal file
View File

@ -0,0 +1,97 @@
From c61100799c7d8e46c82a862eca3f543a4320490c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 22 Oct 2014 10:03:09 +0200
Subject: [PATCH 1/4] ipa: fix issues with older servers not supporting views
Older FreeIPA servers which do not know about the ipaAssignedIDView
attribute will return an error during the LDAP dereference request
because SSSD marks LDAP extensions as critical. In this case we keep the
view name empty and skip override lookups.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_subdomains.c | 14 +++++++++++++-
src/providers/ipa/ipa_subdomains_id.c | 4 +++-
src/providers/ipa/ipa_views.c | 17 ++++++++++++-----
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index bedc0f1a50e8a35ea65de45247b1814c9abc0bcd..eb172fdfc05ac4e482174f01d89ad28db1498fc1 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req)
ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply);
talloc_zfree(req);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+ if (ret == EOPNOTSUPP) {
+ DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \
+ "like server does not support views.\n");
+ ret = ipa_check_master(ctx);
+ if (ret == EAGAIN) {
+ return;
+ } else if (ret != EOK) {
+ goto done;
+ }
+
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+ }
goto done;
}
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 36f8b239249e5f0146610cfab148be20c39c66c2..b67006ce6e0b4bf9c794016c1dfc923ac6da3624 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
* have to check first if the request matches an override in the given
* view. But there are cases where this can be skipped and the AD object
* can be searched directly:
+ * - if no view is defined, i.e. the server does not supprt views yet
* - searches by SID: because we do not override the SID
* - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags,
* because in this case the entry was found in the cache and the
* original value is used for the search (e.g. during cache updates) */
- if (state->ar->filter_type == BE_FILTER_SECID
+ if (state->ipa_ctx->view_name == NULL
+ || state->ar->filter_type == BE_FILTER_SECID
|| (!state->ipa_server_mode
&& state->ar->extra_value != NULL
&& strcmp(state->ar->extra_value,
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
index 33dbf7b1c17f188924ee7b50a77ab699f03392be..2eb77216ab9759d8b1d66fbdf0b2e90cd07a4604 100644
--- a/src/providers/ipa/ipa_views.c
+++ b/src/providers/ipa/ipa_views.c
@@ -208,16 +208,23 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx,
state->sdap_id_ctx = sdap_id_ctx;
state->ipa_options = ipa_options;
state->ipa_realm = ipa_realm;
- if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
- state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
- } else {
- state->ipa_view_name = view_name;
- }
state->ar = ar;
state->dp_error = -1;
state->override_attrs = NULL;
state->filter = NULL;
+ if (view_name == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n");
+ ret = EOK;
+ goto done;
+ }
+
+ if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
+ state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
+ } else {
+ state->ipa_view_name = view_name;
+ }
+
state->sdap_op = sdap_id_op_create(state,
state->sdap_id_ctx->conn->conn_cache);
if (state->sdap_op == NULL) {
--
1.9.3

48
0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch Normal file
View File

@ -0,0 +1,48 @@
From 2e39a7b8c58ed6cc6077bef490482dbbd1ed81ac Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Oct 2014 17:09:34 +0200
Subject: [PATCH 2/4] ipa: improve error reporting for extdom LDAP exop
This patch fixes a typo when calling ldap_parse_result() which prevented
the server-side error message to be used and adds a hint that more
information might be available on the server side.
Fixes: https://fedorahosted.org/sssd/ticket/2456
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 96528816a520b633f1f1caa975dee9b9515621c3..bd5c00b6a48018f8f904aaa03e8162425651b37a 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -133,7 +133,7 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
}
ret = ldap_parse_result(state->sh->ldap, reply->msg,
- &result, &errmsg, NULL, NULL,
+ &result, NULL, &errmsg, NULL,
NULL, 0);
if (ret != LDAP_SUCCESS) {
DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed (%d)\n",
@@ -142,10 +142,13 @@ static void ipa_s2n_exop_done(struct sdap_op *op,
goto done;
}
- DEBUG(SSSDBG_TRACE_FUNC, "ldap_extended_operation result: %s(%d), %s\n",
- sss_ldap_err2string(result), result, errmsg);
+ DEBUG(result == LDAP_SUCCESS ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE,
+ "ldap_extended_operation result: %s(%d), %s.\n",
+ sss_ldap_err2string(result), result, errmsg);
if (result != LDAP_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldap_extended_operation failed, " \
+ "server logs might contain more details.\n");
ret = ERR_NETWORK_IO;
goto done;
}
--
1.9.3

31
0003-ipa_subdomains_handler_master_done-initialize-reply_.patch Normal file
View File

@ -0,0 +1,31 @@
From 13262a18f804638b40213a865e0a72e33123ccf1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 14 Oct 2014 16:52:04 +0200
Subject: [PATCH 3/4] ipa_subdomains_handler_master_done: initialize
reply_count
This patch should mainly silence a false-positive Coverity warning but
since further processing depends on this variable I think it is a good
idea anyways.
Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
src/providers/ipa/ipa_subdomains.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index eb172fdfc05ac4e482174f01d89ad28db1498fc1..c61c1c666908ec23f8a92e5568222e55ec47be0a 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1276,7 +1276,7 @@ static void ipa_subdomains_handler_master_done(struct tevent_req *req)
{
errno_t ret;
int dp_error = DP_ERR_FATAL;
- size_t reply_count;
+ size_t reply_count = 0;
struct sysdb_attrs **reply = NULL;
struct ipa_subdomains_req_ctx *ctx;
--
1.9.3

40
0004-IPA-Handle-NULL-members-in-process_members.patch Normal file
View File

@ -0,0 +1,40 @@
From 7bdd47bfbb558d948dd2afce0ae53d22046067ef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 14 Oct 2014 14:15:25 +0200
Subject: [PATCH 4/4] IPA: Handle NULL members in process_members()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index bd5c00b6a48018f8f904aaa03e8162425651b37a..2c31120b196353df52c87ef5b924a80bda134a17 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -1196,6 +1196,11 @@ static errno_t process_members(struct sss_domain_info *domain,
struct sss_domain_info *obj_domain;
struct sss_domain_info *parent_domain;
+ if (members == NULL) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
+ return EOK;
+ }
+
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
@@ -1731,6 +1736,7 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
goto done;
}
}
+ DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", name);
ret = sysdb_attrs_add_lc_name_alias(attrs->sysdb_attrs, name);
if (ret != EOK) {
--
1.9.3

10
sssd.spec
View File

@ -20,7 +20,7 @@
Name: sssd
Version: 1.12.2
Release: 1%{?dist}
Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -29,6 +29,10 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
Patch0002: 0002-ipa-improve-error-reporting-for-extdom-LDAP-exop.patch
Patch0003: 0003-ipa_subdomains_handler_master_done-initialize-reply_.patch
Patch0004: 0004-IPA-Handle-NULL-members-in-process_members.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@ -845,6 +849,10 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
* Wed Oct 22 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-2
- Backport several patches from upstream.
- Fix a potential crash against old (pre-4.0) IPA servers
* Mon Oct 20 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.2-1
- New upstream release 1.12.2
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.12.2