From ae664ccc43e22bc01c0c168f0fe77633b368cc3d Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 1 Feb 2012 14:22:00 -0500
Subject: [PATCH] Resolves: rhbz#773706 - SSSD fails during autodetection of
 search bases for

                          new LDAP features
---
 ...-if-RootDSE-check-cannot-determine-s.patch | 214 ++++++++++++++++++
 sssd.spec                                     |  10 +-
 2 files changed, 222 insertions(+), 2 deletions(-)
 create mode 100644 0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch

diff --git a/0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch b/0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
new file mode 100644
index 0000000..ef4212e
--- /dev/null
+++ b/0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
@@ -0,0 +1,214 @@
+From 942714ed5a3ae23e291de2498f947de4bca57456 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 1 Feb 2012 14:03:36 -0500
+Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search
+ bases
+
+https://fedorahosted.org/sssd/ticket/1152
+
+Conflicts:
+
+	src/providers/ldap/sdap_async_services.c
+---
+ src/providers/ipa/ipa_netgroups.c          |    7 +++++
+ src/providers/ldap/sdap.c                  |    7 ++++-
+ src/providers/ldap/sdap_async_groups.c     |    9 +++++++
+ src/providers/ldap/sdap_async_initgroups.c |   35 +++++++++++++++++++++++++++-
+ src/providers/ldap/sdap_async_users.c      |    9 +++++++
+ src/providers/ldap/sdap_sudo.c             |    9 +++++++
+ 6 files changed, 74 insertions(+), 2 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
+index 78bcee1b44fec3c8d04fc5ba13b46db26396d1b1..7da1147c7d6fd1dec8872209e442ae99ee810aa1 100644
+--- a/src/providers/ipa/ipa_netgroups.c
++++ b/src/providers/ipa/ipa_netgroups.c
+@@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx,
+     state->base_filter = filter;
+     state->netgr_base_iter = 0;
+ 
++    if (!ipa_options->id->netgroup_search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("Netgroup lookup request without a search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
++
+     ret = sss_hash_create(state, 32, &state->new_netgroups);
+     if (ret != EOK) goto done;
+     ret = sss_hash_create(state, 32, &state->new_users);
+diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
+index 3ca2e286146e1e88b1fd7abef341fa8c3aa699ad..2b29116949b2f8efae269a994a0f3da64a0ee612 100644
+--- a/src/providers/ldap/sdap.c
++++ b/src/providers/ldap/sdap.c
+@@ -748,7 +748,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
+         naming_context = get_naming_context(opts->basic, rootdse);
+         if (naming_context == NULL) {
+             DEBUG(1, ("get_naming_context failed.\n"));
+-            ret = EINVAL;
++
++            /* This has to be non-fatal, since some servers offer
++             * multiple namingContexts entries. We will just
++             * add NULL checks for the search bases in the lookups.
++             */
++            ret = EOK;
+             goto done;
+         }
+     }
+diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
+index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644
+--- a/src/providers/ldap/sdap_async_groups.c
++++ b/src/providers/ldap/sdap_async_groups.c
+@@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
+     state->base_iter = 0;
+     state->search_bases = search_bases;
+ 
++    if (!search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("Group lookup request without a search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
++
+     ret = sdap_get_groups_next_base(req);
++
++done:
+     if (ret != EOK) {
+         tevent_req_error(req, ret);
+         tevent_req_post(req, ev);
+diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
+index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644
+--- a/src/providers/ldap/sdap_async_initgroups.c
++++ b/src/providers/ldap/sdap_async_initgroups.c
+@@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
+     state->base_iter = 0;
+     state->search_bases = opts->group_search_bases;
+ 
++    if (!state->search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("Initgroups lookup request without a group search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
++
+     state->name = talloc_strdup(state, name);
+     if (!state->name) {
+         talloc_zfree(req);
+@@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
+     talloc_zfree(clean_name);
+ 
+     ret = sdap_initgr_rfc2307_next_base(req);
++
++done:
+     if (ret != EOK) {
+         tevent_req_error(req, ret);
+         tevent_req_post(req, ev);
+@@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
+     state->base_iter = 0;
+     state->search_bases = opts->group_search_bases;
+ 
++    if (!state->search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("Initgroups lookup request without a group search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
++
+     ret = sss_hash_create(state, 32, &state->group_hash);
+     if (ret != EOK) {
+         talloc_free(req);
+@@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send(
+                                     SDAP_SEARCH_TIMEOUT);
+     state->base_iter = 0;
+     state->search_bases = opts->group_search_bases;
+-
++    if (!state->search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("Initgroups nested lookup request "
++               "without a group search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
+ 
+     ret = rfc2307bis_nested_groups_step(req);
++
++done:
+     if (ret == EOK) {
+         /* All parent groups were already processed */
+         tevent_req_done(req);
+@@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
+     state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
+     state->user_base_iter = 0;
+     state->user_search_bases = id_ctx->opts->user_search_bases;
++    if (!state->user_search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("Initgroups lookup request without a user search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
+ 
+     ret = sss_filter_sanitize(state, name, &clean_name);
+     if (ret != EOK) {
++        talloc_zfree(req);
+         return NULL;
+     }
+ 
+@@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
+     }
+ 
+     ret = sdap_get_initgr_next_base(req);
++
++done:
+     if (ret != EOK) {
+         tevent_req_error(req, ret);
+         tevent_req_post(req, ev);
+diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
+index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644
+--- a/src/providers/ldap/sdap_async_users.c
++++ b/src/providers/ldap/sdap_async_users.c
+@@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
+     state->search_bases = search_bases;
+     state->enumeration = enumeration;
+ 
++    if (!state->search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("User lookup request without a search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
++
+     ret = sdap_get_users_next_base(req);
++
++done:
+     if (ret != EOK) {
+         tevent_req_error(req, ret);
+         tevent_req_post(req, state->ev);
+diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
+index 68cb47cd38952594d34ccc81913b7308caf9af10..aeae22eccf2a9adf3fb2fde831a3b492a6c4afb7 100644
+--- a/src/providers/ldap/sdap_sudo.c
++++ b/src/providers/ldap/sdap_sudo.c
+@@ -237,6 +237,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
+     state->ldap_rules = NULL;
+     state->ldap_rules_count = 0;
+ 
++    if (!state->search_bases) {
++        DEBUG(SSSDBG_CRIT_FAILURE,
++              ("SUDOERS lookup request without a search base\n"));
++        ret = EINVAL;
++        goto done;
++    }
++
+     /* create filter */
+     state->filter = sdap_sudo_build_filter(state,
+                                            state->opts->sudorule_map,
+@@ -256,6 +263,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
+ 
+     /* begin search */
+     ret = sdap_sudo_load_sudoers_next_base(req);
++
++done:
+     if (ret != EOK) {
+         tevent_req_error(req, ret);
+         tevent_req_post(req, sudo_ctx->be_ctx->ev);
+-- 
+1.7.7.6
+
diff --git a/sssd.spec b/sssd.spec
index 9ccaaeb..f2cd307 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -19,7 +19,7 @@
 
 Name: sssd
 Version: 1.7.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -29,12 +29,14 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 ### Patches ###
 
+Patch0001: 0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
+
 ### Dependencies ###
 
 Conflicts: selinux-policy < 3.10.0-46
 Requires: libldb = %{ldb_version}
 Requires: libtdb >= 1.1.3
-Requires: sssd-client = %{version}-%{release}
+Requires: sssd-client%{?_isa} = %{version}-%{release}
 Requires: cyrus-sasl-gssapi
 Requires: krb5-libs >= 1.9
 Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
@@ -377,6 +379,10 @@ fi
 %postun -n libipa_hbac -p /sbin/ldconfig
 
 %changelog
+* Wed Feb 01 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.7.0-2
+- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
+                          new LDAP features
+
 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild