3161db3512
- Fix a potential crash against old (pre-4.0) IPA servers
98 lines
4.2 KiB
Diff
98 lines
4.2 KiB
Diff
From c61100799c7d8e46c82a862eca3f543a4320490c Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 22 Oct 2014 10:03:09 +0200
|
|
Subject: [PATCH 1/4] ipa: fix issues with older servers not supporting views
|
|
|
|
Older FreeIPA servers which do not know about the ipaAssignedIDView
|
|
attribute will return an error during the LDAP dereference request
|
|
because SSSD marks LDAP extensions as critical. In this case we keep the
|
|
view name empty and skip override lookups.
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/providers/ipa/ipa_subdomains.c | 14 +++++++++++++-
|
|
src/providers/ipa/ipa_subdomains_id.c | 4 +++-
|
|
src/providers/ipa/ipa_views.c | 17 ++++++++++++-----
|
|
3 files changed, 28 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
|
|
index bedc0f1a50e8a35ea65de45247b1814c9abc0bcd..eb172fdfc05ac4e482174f01d89ad28db1498fc1 100644
|
|
--- a/src/providers/ipa/ipa_subdomains.c
|
|
+++ b/src/providers/ipa/ipa_subdomains.c
|
|
@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req)
|
|
ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply);
|
|
talloc_zfree(req);
|
|
if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
|
|
+ if (ret == EOPNOTSUPP) {
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \
|
|
+ "like server does not support views.\n");
|
|
+ ret = ipa_check_master(ctx);
|
|
+ if (ret == EAGAIN) {
|
|
+ return;
|
|
+ } else if (ret != EOK) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ } else {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
|
|
+ }
|
|
goto done;
|
|
}
|
|
|
|
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
index 36f8b239249e5f0146610cfab148be20c39c66c2..b67006ce6e0b4bf9c794016c1dfc923ac6da3624 100644
|
|
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
|
|
* have to check first if the request matches an override in the given
|
|
* view. But there are cases where this can be skipped and the AD object
|
|
* can be searched directly:
|
|
+ * - if no view is defined, i.e. the server does not supprt views yet
|
|
* - searches by SID: because we do not override the SID
|
|
* - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags,
|
|
* because in this case the entry was found in the cache and the
|
|
* original value is used for the search (e.g. during cache updates) */
|
|
- if (state->ar->filter_type == BE_FILTER_SECID
|
|
+ if (state->ipa_ctx->view_name == NULL
|
|
+ || state->ar->filter_type == BE_FILTER_SECID
|
|
|| (!state->ipa_server_mode
|
|
&& state->ar->extra_value != NULL
|
|
&& strcmp(state->ar->extra_value,
|
|
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
|
|
index 33dbf7b1c17f188924ee7b50a77ab699f03392be..2eb77216ab9759d8b1d66fbdf0b2e90cd07a4604 100644
|
|
--- a/src/providers/ipa/ipa_views.c
|
|
+++ b/src/providers/ipa/ipa_views.c
|
|
@@ -208,16 +208,23 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx,
|
|
state->sdap_id_ctx = sdap_id_ctx;
|
|
state->ipa_options = ipa_options;
|
|
state->ipa_realm = ipa_realm;
|
|
- if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
|
|
- state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
|
|
- } else {
|
|
- state->ipa_view_name = view_name;
|
|
- }
|
|
state->ar = ar;
|
|
state->dp_error = -1;
|
|
state->override_attrs = NULL;
|
|
state->filter = NULL;
|
|
|
|
+ if (view_name == NULL) {
|
|
+ DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n");
|
|
+ ret = EOK;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
|
|
+ state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
|
|
+ } else {
|
|
+ state->ipa_view_name = view_name;
|
|
+ }
|
|
+
|
|
state->sdap_op = sdap_id_op_create(state,
|
|
state->sdap_id_ctx->conn->conn_cache);
|
|
if (state->sdap_op == NULL) {
|
|
--
|
|
1.9.3
|
|
|