116 lines
4.6 KiB
Diff
116 lines
4.6 KiB
Diff
From eaf656843831d579f30f94154d88aba2201c1712 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Tue, 28 Apr 2015 20:59:43 +0200
|
|
Subject: [PATCH 80/99] IPA: search for overrides during initgroups in sever
|
|
mode
|
|
|
|
After the group memberships of a user from a trusted domain are read it
|
|
must be checked if there are overrides for the discovered groups to be
|
|
able to return the right gid or name to the caller.
|
|
|
|
Related to https://fedorahosted.org/sssd/ticket/2633
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
(cherry picked from commit 2263c6dd1242c92253240f4998c86a04b6a0ca3a)
|
|
---
|
|
src/providers/ipa/ipa_subdomains_id.c | 69 +++++++++++++++++++++++++++++++++++
|
|
1 file changed, 69 insertions(+)
|
|
|
|
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
index 1253510dcb8523c19d879d4351ffa07995f161f7..617c091d3abc4808da4a279213ffc3e1119001bf 100644
|
|
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
@@ -569,6 +569,8 @@ struct ipa_get_ad_acct_state {
|
|
static void ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq);
|
|
static void ipa_get_ad_override_done(struct tevent_req *subreq);
|
|
static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req);
|
|
+static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req);
|
|
+static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq);
|
|
static void ipa_get_ad_acct_done(struct tevent_req *subreq);
|
|
static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx,
|
|
struct sss_domain_info *dom);
|
|
@@ -1123,6 +1125,9 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
|
|
struct tevent_req *subreq;
|
|
const char *obj_name;
|
|
int entry_type;
|
|
+ size_t groups_count = 0;
|
|
+ struct ldb_message **groups = NULL;
|
|
+ const char *attrs[] = SYSDB_INITGR_ATTRS;
|
|
|
|
if (state->override_attrs != NULL) {
|
|
/* We are in ipa-server-mode, so the view is the default view by
|
|
@@ -1179,6 +1184,70 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
|
|
state->ar->entry_type = BE_REQ_USER;
|
|
}
|
|
|
|
+ /* Lookup all groups the user is a member of which do not have ORIGINALAD
|
|
+ * attributes set, i.e. where overrides might not have been applied. */
|
|
+ ret = sysdb_asq_search(state, state->obj_dom, state->obj_msg->dn,
|
|
+ "(&("SYSDB_GC")("SYSDB_GIDNUM"=*)" \
|
|
+ "(!("ORIGINALAD_PREFIX SYSDB_GIDNUM"=*))" \
|
|
+ "(!("ORIGINALAD_PREFIX SYSDB_NAME"=*)))",
|
|
+ SYSDB_INITGR_ATTR,
|
|
+ attrs, &groups_count, &groups);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_groups_without_orig failed.\n");
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+ if (groups != NULL) {
|
|
+ subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx,
|
|
+ state->obj_dom, groups_count,
|
|
+ groups, SYSDB_SID_STR);
|
|
+ if (subreq == NULL) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_initgr_get_overrides_send failed.\n");
|
|
+ return ENOMEM;
|
|
+ }
|
|
+ tevent_req_set_callback(subreq, ipa_id_get_groups_overrides_done, req);
|
|
+ return EOK;
|
|
+ }
|
|
+
|
|
+ ret = ipa_get_ad_ipa_membership_step(req);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n");
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+ return EOK;
|
|
+}
|
|
+
|
|
+static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq)
|
|
+{
|
|
+ struct tevent_req *req = tevent_req_callback_data(subreq,
|
|
+ struct tevent_req);
|
|
+ errno_t ret;
|
|
+
|
|
+ ret = ipa_initgr_get_overrides_recv(subreq, NULL);
|
|
+ talloc_zfree(subreq);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "IPA resolve user groups overrides failed [%d].\n", ret);
|
|
+ tevent_req_error(req, ret);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ ret = ipa_get_ad_ipa_membership_step(req);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n");
|
|
+ tevent_req_error(req, ret);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ return;
|
|
+}
|
|
+
|
|
+static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req)
|
|
+{
|
|
+ struct ipa_get_ad_acct_state *state = tevent_req_data(req,
|
|
+ struct ipa_get_ad_acct_state);
|
|
+ struct tevent_req *subreq;
|
|
|
|
/* For initgroups request we have to check IPA group memberships of AD
|
|
* users. This has to be done for other user-request as well to make sure
|
|
--
|
|
2.4.0
|
|
|