Fix few segfaults
- Resolves: upstream #2811 - PAM responder crashed if user was not set - Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step
This commit is contained in:
parent
1bedb06db6
commit
69b9d3f518
126
0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch
Normal file
126
0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch
Normal file
@ -0,0 +1,126 @@
|
||||
From c9c1296ae9a7bd75164ccc3a175c2f5d809435f9 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Thu, 1 Oct 2015 10:10:22 +0200
|
||||
Subject: [PATCH 1/3] PAM: only allow missing user name for certificate
|
||||
authentication
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Resolves:
|
||||
https://fedorahosted.org/sssd/ticket/2811
|
||||
|
||||
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
||||
(cherry picked from commit 2e76b32e74abedb23665808bacc73cafd1097c37)
|
||||
(cherry picked from commit ba9d5c0456a2fbb9adf9b4b4dffbfb190628a273)
|
||||
---
|
||||
src/responder/pam/pamsrv_cmd.c | 12 +++++++++---
|
||||
src/tests/cmocka/test_pam_srv.c | 38 ++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 47 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
||||
index 27dddcf43c1ff6eb465e1cb58d6dddf21413dcc4..2823f8133eb74d245be0750193ed842c0fdb26d3 100644
|
||||
--- a/src/responder/pam/pamsrv_cmd.c
|
||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
||||
@@ -957,11 +957,13 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p
|
||||
} else {
|
||||
/* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the
|
||||
* name is determined with the help of a certificate */
|
||||
- if (pd->cmd == SSS_PAM_PREAUTH) {
|
||||
+ if (pd->cmd == SSS_PAM_PREAUTH
|
||||
+ && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx,
|
||||
+ struct pam_ctx), pd)) {
|
||||
ret = EOK;
|
||||
} else {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n");
|
||||
- ret = EINVAL;
|
||||
+ ret = ERR_NO_CREDS;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -1104,7 +1106,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
||||
}
|
||||
goto done;
|
||||
} else if (ret != EOK) {
|
||||
- ret = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -1610,6 +1611,11 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret)
|
||||
pam_reply(preq);
|
||||
break;
|
||||
|
||||
+ case ERR_NO_CREDS:
|
||||
+ preq->pd->pam_status = PAM_CRED_INSUFFICIENT;
|
||||
+ pam_reply(preq);
|
||||
+ break;
|
||||
+
|
||||
default:
|
||||
preq->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
pam_reply(preq);
|
||||
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
|
||||
index ab33433fdce8d6030331a57e2b7cbd97ce5637df..dbdc4ae08a12914481137fe8fb5a24d242d3032f 100644
|
||||
--- a/src/tests/cmocka/test_pam_srv.c
|
||||
+++ b/src/tests/cmocka/test_pam_srv.c
|
||||
@@ -623,6 +623,23 @@ static int test_pam_wrong_pw_offline_auth_check(uint32_t status,
|
||||
return test_pam_simple_check(status, body, blen);
|
||||
}
|
||||
|
||||
+static int test_pam_creds_insufficient_check(uint32_t status,
|
||||
+ uint8_t *body, size_t blen)
|
||||
+{
|
||||
+ size_t rp = 0;
|
||||
+ uint32_t val;
|
||||
+
|
||||
+ assert_int_equal(status, 0);
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, PAM_CRED_INSUFFICIENT);
|
||||
+
|
||||
+ SAFEALIGN_COPY_UINT32(&val, body + rp, &rp);
|
||||
+ assert_int_equal(val, 0);
|
||||
+
|
||||
+ return EOK;
|
||||
+}
|
||||
+
|
||||
static int test_pam_user_unknown_check(uint32_t status,
|
||||
uint8_t *body, size_t blen)
|
||||
{
|
||||
@@ -1127,6 +1144,25 @@ void test_pam_offline_chauthtok(void **state)
|
||||
assert_int_equal(ret, EOK);
|
||||
}
|
||||
|
||||
+void test_pam_preauth_no_logon_name(void **state)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ mock_input_pam_cert(pam_test_ctx, NULL, NULL);
|
||||
+
|
||||
+ will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH);
|
||||
+ will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL);
|
||||
+
|
||||
+ set_cmd_cb(test_pam_creds_insufficient_check);
|
||||
+ ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH,
|
||||
+ pam_test_ctx->pam_cmds);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+
|
||||
+ /* Wait until the test finishes with EOK */
|
||||
+ ret = test_ev_loop(pam_test_ctx->tctx);
|
||||
+ assert_int_equal(ret, EOK);
|
||||
+}
|
||||
+
|
||||
static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath)
|
||||
{
|
||||
pam_test_ctx->pctx->cert_auth = true;
|
||||
@@ -1432,6 +1468,8 @@ int main(int argc, const char *argv[])
|
||||
pam_test_setup, pam_test_teardown),
|
||||
cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok,
|
||||
pam_test_setup, pam_test_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name,
|
||||
+ pam_test_setup, pam_test_teardown),
|
||||
/* p11_child is not built without NSS */
|
||||
#ifdef HAVE_NSS
|
||||
cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert,
|
||||
--
|
||||
2.5.0
|
||||
|
240
0002-AD-Provide-common-connection-list-construction-funct.patch
Normal file
240
0002-AD-Provide-common-connection-list-construction-funct.patch
Normal file
@ -0,0 +1,240 @@
|
||||
From dfa6a5468a606df968eff0ae1135f9ebb97ad9dc Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Thu, 1 Oct 2015 13:13:05 +0200
|
||||
Subject: [PATCH 2/3] AD: Provide common connection list construction functions
|
||||
|
||||
https://fedorahosted.org/sssd/ticket/2810
|
||||
|
||||
Provides a new AD common function ad_ldap_conn_list() that creates a
|
||||
list of AD connection to use along with properties to avoid mistakes
|
||||
when manually constructing these lists.
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 309aa83d16b5919f727af04850bcd0799ba0962f)
|
||||
(cherry picked from commit 15a4b34ccfcfbcec2c9ba529d0113adf251abc16)
|
||||
---
|
||||
src/providers/ad/ad_common.c | 26 +++++++++++++++++++
|
||||
src/providers/ad/ad_common.h | 5 ++++
|
||||
src/providers/ad/ad_id.c | 17 +------------
|
||||
src/providers/ipa/ipa_subdomains_id.c | 21 ++++++----------
|
||||
src/tests/cmocka/test_ad_common.c | 47 ++++++++++++++++++++++++++++++-----
|
||||
5 files changed, 81 insertions(+), 35 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index 130cdeb613aae3843f7453a478815daaae6aab77..df277e55e234d4d4efe34d5f5d8efdfe7267fb60 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1236,6 +1236,14 @@ ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom)
|
||||
subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
|
||||
conn = subdom_id_ctx->ldap_ctx;
|
||||
|
||||
+ if (IS_SUBDOMAIN(sdom->dom) == true && conn != NULL) {
|
||||
+ /* Regardless of connection types, a subdomain error must not be
|
||||
+ * allowed to set the whole back end offline, rather report an error
|
||||
+ * and let the caller deal with it (normally disable the subdomain
|
||||
+ */
|
||||
+ conn->ignore_mark_offline = true;
|
||||
+ }
|
||||
+
|
||||
return conn;
|
||||
}
|
||||
|
||||
@@ -1260,3 +1268,21 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
|
||||
|
||||
return clist;
|
||||
}
|
||||
+
|
||||
+struct sdap_id_conn_ctx **
|
||||
+ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
|
||||
+ struct ad_id_ctx *ad_ctx,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ struct sdap_id_conn_ctx **clist;
|
||||
+
|
||||
+ clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 2);
|
||||
+ if (clist == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ clist[0] = ad_get_dom_ldap_conn(ad_ctx, dom);
|
||||
+
|
||||
+ clist[1] = NULL;
|
||||
+ return clist;
|
||||
+}
|
||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||
index 817f5b42cad7cad6a88244fd43bd91a4358d56c0..701e461987cb286ca7add2766ffb4dc496bde01e 100644
|
||||
--- a/src/providers/ad/ad_common.h
|
||||
+++ b/src/providers/ad/ad_common.h
|
||||
@@ -148,6 +148,11 @@ struct sdap_id_conn_ctx **
|
||||
ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+struct sdap_id_conn_ctx **
|
||||
+ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
|
||||
+ struct ad_id_ctx *ad_ctx,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
struct sdap_id_conn_ctx *
|
||||
ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom);
|
||||
|
||||
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
|
||||
index ecaf6c993bf7ddb7ba565d40ef0ad250114f5536..be0cb3b12f2e3a2b53d740ecf3befc07fd853f8b 100644
|
||||
--- a/src/providers/ad/ad_id.c
|
||||
+++ b/src/providers/ad/ad_id.c
|
||||
@@ -269,29 +269,14 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
|
||||
case BE_REQ_GROUP: /* group */
|
||||
case BE_REQ_INITGROUPS: /* init groups for user */
|
||||
clist = ad_gc_conn_list(breq, ad_ctx, dom);
|
||||
- if (clist == NULL) return NULL;
|
||||
break;
|
||||
|
||||
default:
|
||||
/* Requests for other object should only contact LDAP by default */
|
||||
- clist = talloc_zero_array(breq, struct sdap_id_conn_ctx *, 2);
|
||||
- if (clist == NULL) return NULL;
|
||||
-
|
||||
- clist[0] = ad_ctx->ldap_ctx;
|
||||
- clist[1] = NULL;
|
||||
+ clist = ad_ldap_conn_list(breq, ad_ctx, dom);
|
||||
break;
|
||||
}
|
||||
|
||||
- /* Regardless of connection types, a subdomain error must not be allowed
|
||||
- * to set the whole back end offline, rather report an error and let the
|
||||
- * caller deal with it (normally disable the subdomain
|
||||
- */
|
||||
- if (IS_SUBDOMAIN(dom)) {
|
||||
- for (cindex = 0; clist[cindex] != NULL; cindex++) {
|
||||
- clist[cindex]->ignore_mark_offline = true;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
return clist;
|
||||
}
|
||||
|
||||
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
||||
index 8f13608bcfd2f17c27fcba7f087e1a27086a2a1c..472985d4ab4f785aa9c4af94bf8021829ca1c3c8 100644
|
||||
--- a/src/providers/ipa/ipa_subdomains_id.c
|
||||
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
||||
@@ -641,21 +641,16 @@ ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx,
|
||||
case BE_REQ_BY_SECID:
|
||||
case BE_REQ_GROUP:
|
||||
clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom);
|
||||
- if (clist == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto fail;
|
||||
- }
|
||||
- clist[1]->ignore_mark_offline = true;
|
||||
break;
|
||||
default:
|
||||
- clist = talloc_zero_array(req, struct sdap_id_conn_ctx *, 2);
|
||||
- if (clist == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto fail;
|
||||
- }
|
||||
- clist[0] = ad_id_ctx->ldap_ctx;
|
||||
- clist[0]->ignore_mark_offline = true;
|
||||
- clist[1] = NULL;
|
||||
+ clist = ad_ldap_conn_list(req, ad_id_ctx, state->obj_dom);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (clist == NULL) {
|
||||
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot generate AD connection list!\n");
|
||||
+ ret = ENOMEM;
|
||||
+ goto fail;
|
||||
}
|
||||
|
||||
/* Now we already need ad_id_ctx in particular sdap_id_conn_ctx */
|
||||
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
|
||||
index bc9d0940bb22cc4b11f5a5b012ac4ded338714a0..d2b59a23dfbff0bfda8ec7a52a71aec99f56baf3 100644
|
||||
--- a/src/tests/cmocka/test_ad_common.c
|
||||
+++ b/src/tests/cmocka/test_ad_common.c
|
||||
@@ -350,7 +350,7 @@ __wrap_sdap_set_sasl_options(struct sdap_options *id_opts,
|
||||
return EOK;
|
||||
}
|
||||
|
||||
-void test_ldap_conn_list(void **state)
|
||||
+void test_ad_get_dom_ldap_conn(void **state)
|
||||
{
|
||||
struct sdap_id_conn_ctx *conn;
|
||||
|
||||
@@ -365,7 +365,7 @@ void test_ldap_conn_list(void **state)
|
||||
assert_true(conn == test_ctx->subdom_ad_ctx->ldap_ctx);
|
||||
}
|
||||
|
||||
-void test_conn_list(void **state)
|
||||
+void test_gc_conn_list(void **state)
|
||||
{
|
||||
struct sdap_id_conn_ctx **conn_list;
|
||||
|
||||
@@ -392,7 +392,8 @@ void test_conn_list(void **state)
|
||||
assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx);
|
||||
assert_true(conn_list[0]->ignore_mark_offline);
|
||||
assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx);
|
||||
- assert_false(conn_list[1]->ignore_mark_offline);
|
||||
+ /* Subdomain error should not set the backend offline! */
|
||||
+ assert_true(conn_list[1]->ignore_mark_offline);
|
||||
talloc_free(conn_list);
|
||||
|
||||
dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false);
|
||||
@@ -411,6 +412,37 @@ void test_conn_list(void **state)
|
||||
assert_non_null(conn_list);
|
||||
|
||||
assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx);
|
||||
+ assert_true(conn_list[0]->ignore_mark_offline);
|
||||
+ assert_null(conn_list[1]);
|
||||
+ talloc_free(conn_list);
|
||||
+}
|
||||
+
|
||||
+void test_ldap_conn_list(void **state)
|
||||
+{
|
||||
+ struct sdap_id_conn_ctx **conn_list;
|
||||
+
|
||||
+ struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
|
||||
+ struct ad_common_test_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ conn_list = ad_ldap_conn_list(test_ctx,
|
||||
+ test_ctx->ad_ctx,
|
||||
+ test_ctx->dom);
|
||||
+ assert_non_null(conn_list);
|
||||
+
|
||||
+ assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
|
||||
+ assert_false(conn_list[0]->ignore_mark_offline);
|
||||
+ assert_null(conn_list[1]);
|
||||
+ talloc_free(conn_list);
|
||||
+
|
||||
+ conn_list = ad_ldap_conn_list(test_ctx,
|
||||
+ test_ctx->ad_ctx,
|
||||
+ test_ctx->subdom);
|
||||
+ assert_non_null(conn_list);
|
||||
+
|
||||
+ assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx);
|
||||
+ assert_true(conn_list[0]->ignore_mark_offline);
|
||||
+ assert_null(conn_list[1]);
|
||||
talloc_free(conn_list);
|
||||
}
|
||||
|
||||
@@ -432,12 +464,15 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_ad_create_2way_trust_options,
|
||||
test_ad_common_setup,
|
||||
test_ad_common_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_ad_get_dom_ldap_conn,
|
||||
+ test_ldap_conn_setup,
|
||||
+ test_ldap_conn_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_gc_conn_list,
|
||||
+ test_ldap_conn_setup,
|
||||
+ test_ldap_conn_teardown),
|
||||
cmocka_unit_test_setup_teardown(test_ldap_conn_list,
|
||||
test_ldap_conn_setup,
|
||||
test_ldap_conn_teardown),
|
||||
- cmocka_unit_test_setup_teardown(test_conn_list,
|
||||
- test_ldap_conn_setup,
|
||||
- test_ldap_conn_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
--
|
||||
2.5.0
|
||||
|
165
0003-AD-Consolidate-connection-list-construction-on-ad_co.patch
Normal file
165
0003-AD-Consolidate-connection-list-construction-on-ad_co.patch
Normal file
@ -0,0 +1,165 @@
|
||||
From a105c26bcc3ab1bbdbb7e0ffea0f170dd836cf1a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Mon, 5 Oct 2015 16:11:14 +0200
|
||||
Subject: [PATCH 3/3] AD: Consolidate connection list construction on
|
||||
ad_common.c
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit afb21fd06690a0bec288a7970abf74ed2ea7dfdc)
|
||||
(cherry picked from commit f1742784d9b1cffd74f67beeb26375124183428a)
|
||||
---
|
||||
src/providers/ad/ad_common.c | 31 +++++++++++++++++++++++++++++++
|
||||
src/providers/ad/ad_common.h | 5 +++++
|
||||
src/providers/ad/ad_id.c | 18 +-----------------
|
||||
src/tests/cmocka/test_ad_common.c | 34 ++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 71 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
|
||||
index df277e55e234d4d4efe34d5f5d8efdfe7267fb60..650ec41578297f7b3a59df118b71a6bb8bc6d6ed 100644
|
||||
--- a/src/providers/ad/ad_common.c
|
||||
+++ b/src/providers/ad/ad_common.c
|
||||
@@ -1286,3 +1286,34 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
|
||||
clist[1] = NULL;
|
||||
return clist;
|
||||
}
|
||||
+
|
||||
+struct sdap_id_conn_ctx **
|
||||
+ad_user_conn_list(TALLOC_CTX *mem_ctx,
|
||||
+ struct ad_id_ctx *ad_ctx,
|
||||
+ struct sss_domain_info *dom)
|
||||
+{
|
||||
+ struct sdap_id_conn_ctx **clist;
|
||||
+ int cindex = 0;
|
||||
+
|
||||
+ clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
|
||||
+ if (clist == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* Try GC first for users from trusted domains, but go to LDAP
|
||||
+ * for users from non-trusted domains to get all POSIX attrs
|
||||
+ */
|
||||
+ if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
|
||||
+ && IS_SUBDOMAIN(dom)) {
|
||||
+ clist[cindex] = ad_ctx->gc_ctx;
|
||||
+ clist[cindex]->ignore_mark_offline = true;
|
||||
+ cindex++;
|
||||
+ }
|
||||
+
|
||||
+ /* Users from primary domain can be just downloaded from LDAP.
|
||||
+ * The domain's LDAP connection also works as a fallback
|
||||
+ */
|
||||
+ clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
|
||||
+
|
||||
+ return clist;
|
||||
+}
|
||||
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
||||
index 701e461987cb286ca7add2766ffb4dc496bde01e..0cefa1859aaa75731267917e66ab9a1905528e91 100644
|
||||
--- a/src/providers/ad/ad_common.h
|
||||
+++ b/src/providers/ad/ad_common.h
|
||||
@@ -153,6 +153,11 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx,
|
||||
struct ad_id_ctx *ad_ctx,
|
||||
struct sss_domain_info *dom);
|
||||
|
||||
+struct sdap_id_conn_ctx **
|
||||
+ad_user_conn_list(TALLOC_CTX *mem_ctx,
|
||||
+ struct ad_id_ctx *ad_ctx,
|
||||
+ struct sss_domain_info *dom);
|
||||
+
|
||||
struct sdap_id_conn_ctx *
|
||||
ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom);
|
||||
|
||||
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
|
||||
index be0cb3b12f2e3a2b53d740ecf3befc07fd853f8b..51d378863a5c7394ca3a2b8bd72f8c131a2b02b1 100644
|
||||
--- a/src/providers/ad/ad_id.c
|
||||
+++ b/src/providers/ad/ad_id.c
|
||||
@@ -244,25 +244,10 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
|
||||
struct sss_domain_info *dom, struct be_acct_req *ar)
|
||||
{
|
||||
struct sdap_id_conn_ctx **clist;
|
||||
- int cindex = 0;
|
||||
|
||||
switch (ar->entry_type & BE_REQ_TYPE_MASK) {
|
||||
case BE_REQ_USER: /* user */
|
||||
- clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3);
|
||||
- if (clist == NULL) return NULL;
|
||||
-
|
||||
- /* Try GC first for users from trusted domains */
|
||||
- if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)
|
||||
- && IS_SUBDOMAIN(dom)) {
|
||||
- clist[cindex] = ad_ctx->gc_ctx;
|
||||
- clist[cindex]->ignore_mark_offline = true;
|
||||
- cindex++;
|
||||
- }
|
||||
-
|
||||
- /* Users from primary domain can be just downloaded from LDAP.
|
||||
- * The domain's LDAP connection also works as a fallback
|
||||
- */
|
||||
- clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom);
|
||||
+ clist = ad_user_conn_list(breq, ad_ctx, dom);
|
||||
break;
|
||||
case BE_REQ_BY_SECID: /* by SID */
|
||||
case BE_REQ_USER_AND_GROUP: /* get SID */
|
||||
@@ -270,7 +255,6 @@ get_conn_list(struct be_req *breq, struct ad_id_ctx *ad_ctx,
|
||||
case BE_REQ_INITGROUPS: /* init groups for user */
|
||||
clist = ad_gc_conn_list(breq, ad_ctx, dom);
|
||||
break;
|
||||
-
|
||||
default:
|
||||
/* Requests for other object should only contact LDAP by default */
|
||||
clist = ad_ldap_conn_list(breq, ad_ctx, dom);
|
||||
diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c
|
||||
index d2b59a23dfbff0bfda8ec7a52a71aec99f56baf3..b0cf4b5e6b0559c2896273bfcfb1af99cad195a3 100644
|
||||
--- a/src/tests/cmocka/test_ad_common.c
|
||||
+++ b/src/tests/cmocka/test_ad_common.c
|
||||
@@ -446,6 +446,37 @@ void test_ldap_conn_list(void **state)
|
||||
talloc_free(conn_list);
|
||||
}
|
||||
|
||||
+void test_user_conn_list(void **state)
|
||||
+{
|
||||
+ struct sdap_id_conn_ctx **conn_list;
|
||||
+
|
||||
+ struct ad_common_test_ctx *test_ctx = talloc_get_type(*state,
|
||||
+ struct ad_common_test_ctx);
|
||||
+ assert_non_null(test_ctx);
|
||||
+
|
||||
+ conn_list = ad_user_conn_list(test_ctx,
|
||||
+ test_ctx->ad_ctx,
|
||||
+ test_ctx->dom);
|
||||
+ assert_non_null(conn_list);
|
||||
+
|
||||
+ assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx);
|
||||
+ assert_false(conn_list[0]->ignore_mark_offline);
|
||||
+ assert_null(conn_list[1]);
|
||||
+ talloc_free(conn_list);
|
||||
+
|
||||
+ conn_list = ad_user_conn_list(test_ctx,
|
||||
+ test_ctx->ad_ctx,
|
||||
+ test_ctx->subdom);
|
||||
+ assert_non_null(conn_list);
|
||||
+
|
||||
+ assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx);
|
||||
+ assert_true(conn_list[0]->ignore_mark_offline);
|
||||
+ assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx);
|
||||
+ /* Subdomain error should not set the backend offline! */
|
||||
+ assert_true(conn_list[1]->ignore_mark_offline);
|
||||
+ talloc_free(conn_list);
|
||||
+}
|
||||
+
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
poptContext pc;
|
||||
@@ -473,6 +504,9 @@ int main(int argc, const char *argv[])
|
||||
cmocka_unit_test_setup_teardown(test_ldap_conn_list,
|
||||
test_ldap_conn_setup,
|
||||
test_ldap_conn_teardown),
|
||||
+ cmocka_unit_test_setup_teardown(test_user_conn_list,
|
||||
+ test_ldap_conn_setup,
|
||||
+ test_ldap_conn_teardown),
|
||||
};
|
||||
|
||||
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
||||
--
|
||||
2.5.0
|
||||
|
12
sssd.spec
12
sssd.spec
@ -29,7 +29,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 1.13.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -38,6 +38,9 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-PAM-only-allow-missing-user-name-for-certificate-aut.patch
|
||||
Patch0002: 0002-AD-Provide-common-connection-list-construction-funct.patch
|
||||
Patch0003: 0003-AD-Consolidate-connection-list-construction-on-ad_co.patch
|
||||
|
||||
### Dependencies ###
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
@ -1009,7 +1012,12 @@ fi
|
||||
%{_libdir}/%{name}/modules/libwbclient.so
|
||||
|
||||
%changelog
|
||||
* Thu Oct 01 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.1-0
|
||||
* Wed Oct 07 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.1-2
|
||||
- Fix few segfaults
|
||||
- Resolves: upstream #2811 - PAM responder crashed if user was not set
|
||||
- Resolves: upstream #2810 - sssd_be crashed in ipa_srv_ad_acct_lookup_step
|
||||
|
||||
* Thu Oct 01 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.13.1-1
|
||||
- New upstream release 1.13.1
|
||||
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user