sssd/0001-ipa-fix-issues-with-older-servers-not-supporting-vie.patch
Jakub Hrozek 3161db3512 Backport several patches from upstream.
- Fix a potential crash against old (pre-4.0) IPA servers
2014-10-22 13:09:58 +02:00

98 lines
4.2 KiB
Diff

From c61100799c7d8e46c82a862eca3f543a4320490c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 22 Oct 2014 10:03:09 +0200
Subject: [PATCH 1/4] ipa: fix issues with older servers not supporting views
Older FreeIPA servers which do not know about the ipaAssignedIDView
attribute will return an error during the LDAP dereference request
because SSSD marks LDAP extensions as critical. In this case we keep the
view name empty and skip override lookups.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_subdomains.c | 14 +++++++++++++-
src/providers/ipa/ipa_subdomains_id.c | 4 +++-
src/providers/ipa/ipa_views.c | 17 ++++++++++++-----
3 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index bedc0f1a50e8a35ea65de45247b1814c9abc0bcd..eb172fdfc05ac4e482174f01d89ad28db1498fc1 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -1002,7 +1002,19 @@ static void ipa_get_view_name_done(struct tevent_req *req)
ret = sdap_deref_search_with_filter_recv(req, ctx, &reply_count, &reply);
talloc_zfree(req);
if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+ if (ret == EOPNOTSUPP) {
+ DEBUG(SSSDBG_TRACE_FUNC, "get_view_name request failed, looks " \
+ "like server does not support views.\n");
+ ret = ipa_check_master(ctx);
+ if (ret == EAGAIN) {
+ return;
+ } else if (ret != EOK) {
+ goto done;
+ }
+
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE, "get_view_name request failed.\n");
+ }
goto done;
}
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 36f8b239249e5f0146610cfab148be20c39c66c2..b67006ce6e0b4bf9c794016c1dfc923ac6da3624 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -106,11 +106,13 @@ struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx,
* have to check first if the request matches an override in the given
* view. But there are cases where this can be skipped and the AD object
* can be searched directly:
+ * - if no view is defined, i.e. the server does not supprt views yet
* - searches by SID: because we do not override the SID
* - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags,
* because in this case the entry was found in the cache and the
* original value is used for the search (e.g. during cache updates) */
- if (state->ar->filter_type == BE_FILTER_SECID
+ if (state->ipa_ctx->view_name == NULL
+ || state->ar->filter_type == BE_FILTER_SECID
|| (!state->ipa_server_mode
&& state->ar->extra_value != NULL
&& strcmp(state->ar->extra_value,
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
index 33dbf7b1c17f188924ee7b50a77ab699f03392be..2eb77216ab9759d8b1d66fbdf0b2e90cd07a4604 100644
--- a/src/providers/ipa/ipa_views.c
+++ b/src/providers/ipa/ipa_views.c
@@ -208,16 +208,23 @@ struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx,
state->sdap_id_ctx = sdap_id_ctx;
state->ipa_options = ipa_options;
state->ipa_realm = ipa_realm;
- if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
- state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
- } else {
- state->ipa_view_name = view_name;
- }
state->ar = ar;
state->dp_error = -1;
state->override_attrs = NULL;
state->filter = NULL;
+ if (view_name == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n");
+ ret = EOK;
+ goto done;
+ }
+
+ if (strcmp(view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) {
+ state->ipa_view_name = IPA_DEFAULT_VIEW_NAME;
+ } else {
+ state->ipa_view_name = view_name;
+ }
+
state->sdap_op = sdap_id_op_create(state,
state->sdap_id_ctx->conn->conn_cache);
if (state->sdap_op == NULL) {
--
1.9.3