rpms/sssd
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for

Browse Source 
new LDAP features
This commit is contained in:
Stephen Gallagher 2012-02-01 14:22:00 -05:00
parent 6ec779e9e4
commit ae664ccc43
2 changed files with 222 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch Normal file
View File

@ -0,0 +1,214 @@
From 942714ed5a3ae23e291de2498f947de4bca57456 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 1 Feb 2012 14:03:36 -0500
Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search
bases
https://fedorahosted.org/sssd/ticket/1152
Conflicts:
src/providers/ldap/sdap_async_services.c
---
src/providers/ipa/ipa_netgroups.c | 7 +++++
src/providers/ldap/sdap.c | 7 ++++-
src/providers/ldap/sdap_async_groups.c | 9 +++++++
src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++-
src/providers/ldap/sdap_async_users.c | 9 +++++++
src/providers/ldap/sdap_sudo.c | 9 +++++++
6 files changed, 74 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 78bcee1b44fec3c8d04fc5ba13b46db26396d1b1..7da1147c7d6fd1dec8872209e442ae99ee810aa1 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx,
state->base_filter = filter;
state->netgr_base_iter = 0;
+ if (!ipa_options->id->netgroup_search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Netgroup lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sss_hash_create(state, 32, &state->new_netgroups);
if (ret != EOK) goto done;
ret = sss_hash_create(state, 32, &state->new_users);
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 3ca2e286146e1e88b1fd7abef341fa8c3aa699ad..2b29116949b2f8efae269a994a0f3da64a0ee612 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -748,7 +748,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
naming_context = get_naming_context(opts->basic, rootdse);
if (naming_context == NULL) {
DEBUG(1, ("get_naming_context failed.\n"));
- ret = EINVAL;
+
+ /* This has to be non-fatal, since some servers offer
+ * multiple namingContexts entries. We will just
+ * add NULL checks for the search bases in the lookups.
+ */
+ ret = EOK;
goto done;
}
}
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = search_bases;
+ if (!search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Group lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sdap_get_groups_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
state->name = talloc_strdup(state, name);
if (!state->name) {
talloc_zfree(req);
@@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
talloc_zfree(clean_name);
ret = sdap_initgr_rfc2307_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
@@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sss_hash_create(state, 32, &state->group_hash);
if (ret != EOK) {
talloc_free(req);
@@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send(
SDAP_SEARCH_TIMEOUT);
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
-
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups nested lookup request "
+ "without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
ret = rfc2307bis_nested_groups_step(req);
+
+done:
if (ret == EOK) {
/* All parent groups were already processed */
tevent_req_done(req);
@@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
state->user_base_iter = 0;
state->user_search_bases = id_ctx->opts->user_search_bases;
+ if (!state->user_search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a user search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
ret = sss_filter_sanitize(state, name, &clean_name);
if (ret != EOK) {
+ talloc_zfree(req);
return NULL;
}
@@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ret = sdap_get_initgr_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
state->search_bases = search_bases;
state->enumeration = enumeration;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("User lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sdap_get_users_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, state->ev);
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 68cb47cd38952594d34ccc81913b7308caf9af10..aeae22eccf2a9adf3fb2fde831a3b492a6c4afb7 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -237,6 +237,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
state->ldap_rules = NULL;
state->ldap_rules_count = 0;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("SUDOERS lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
/* create filter */
state->filter = sdap_sudo_build_filter(state,
state->opts->sudorule_map,
@@ -256,6 +263,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
/* begin search */
ret = sdap_sudo_load_sudoers_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, sudo_ctx->be_ctx->ev);
--
1.7.7.6

10
sssd.spec
View File

@ -19,7 +19,7 @@
Name: sssd Name: sssd
Version: 1.7.0 Version: 1.7.0
Release: 2%{?dist} Release: 3%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -29,12 +29,14 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch0001: 0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
### Dependencies ### ### Dependencies ###
Conflicts: selinux-policy < 3.10.0-46 Conflicts: selinux-policy < 3.10.0-46
Requires: libldb = %{ldb_version} Requires: libldb = %{ldb_version}
Requires: libtdb >= 1.1.3 Requires: libtdb >= 1.1.3
Requires: sssd-client = %{version}-%{release} Requires: sssd-client%{?_isa} = %{version}-%{release}
Requires: cyrus-sasl-gssapi Requires: cyrus-sasl-gssapi
Requires: krb5-libs >= 1.9 Requires: krb5-libs >= 1.9
Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
@ -377,6 +379,10 @@ fi
%postun -n libipa_hbac -p /sbin/ldconfig %postun -n libipa_hbac -p /sbin/ldconfig
%changelog %changelog
* Wed Feb 01 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.7.0-2
- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
new LDAP features
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.0-2 * Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild