9e669db919
Resolves: RHEL-22288 - ssh pubkey stored in ldap/AD no longer works to authenticate via sssd Resolves: RHEL-22194 - gdm smartcard login fails with sssd-2.9.3 in case of multiple identities
195 lines
8.2 KiB
Diff
195 lines
8.2 KiB
Diff
From 6a8e60df84d5d2565bec36be19c2def25a6ece1f Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Wed, 24 Jan 2024 14:21:12 +0100
|
|
Subject: [PATCH 3/3] sdap: add naming_context as new member of struct
|
|
sdap_domain
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The naming_context could be a more reliable source than basedn for the
|
|
actual base DN because basedn is set very early from the domain name
|
|
given in sssd.conf. Although it is recommended to use the fully
|
|
qualified DNS domain name here it is not required. As a result basedn
|
|
might not reflect the actual based DN of the LDAP server. Also pure LDAP
|
|
server (i.e. not AD or FreeIPA) might use different schemes to set the
|
|
base DN which will not be based on the DNS domain of the LDAP server.
|
|
|
|
Resolves: https://github.com/SSSD/sssd/issues/5708
|
|
|
|
Reviewed-by: Alejandro López <allopez@redhat.com>
|
|
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
|
(cherry picked from commit a153f13f296401247a862df2b99048bb1bbb8e2e)
|
|
---
|
|
src/providers/ad/ad_gpo.c | 6 ++++--
|
|
src/providers/ldap/sdap.c | 36 +++++++++++++-----------------------
|
|
src/providers/ldap/sdap.h | 11 +++++++++++
|
|
3 files changed, 28 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
index b0ee3e616..3d1ad39c7 100644
|
|
--- a/src/providers/ad/ad_gpo.c
|
|
+++ b/src/providers/ad/ad_gpo.c
|
|
@@ -2185,8 +2185,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
goto done;
|
|
}
|
|
|
|
- ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
|
|
- "AD_HOSTS", NULL, &search_bases);
|
|
+ ret = common_parse_search_base(state,
|
|
+ sdom->naming_context == NULL ? sdom->basedn
|
|
+ : sdom->naming_context,
|
|
+ state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Failed to create dedicated search base for host lookups, "
|
|
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
index f5637c5fb..956eba93a 100644
|
|
--- a/src/providers/ldap/sdap.c
|
|
+++ b/src/providers/ldap/sdap.c
|
|
@@ -1252,19 +1252,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
struct sdap_domain *sdom)
|
|
{
|
|
int ret;
|
|
- char *naming_context = NULL;
|
|
|
|
- if (!sdom->search_bases
|
|
- || !sdom->user_search_bases
|
|
- || !sdom->group_search_bases
|
|
- || !sdom->netgroup_search_bases
|
|
- || !sdom->host_search_bases
|
|
- || !sdom->sudo_search_bases
|
|
- || !sdom->iphost_search_bases
|
|
- || !sdom->ipnetwork_search_bases
|
|
- || !sdom->autofs_search_bases) {
|
|
- naming_context = get_naming_context(opts->basic, rootdse);
|
|
- if (naming_context == NULL) {
|
|
+ if (!sdom->naming_context) {
|
|
+ sdom->naming_context = get_naming_context(sdom, rootdse);
|
|
+ if (sdom->naming_context == NULL) {
|
|
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");
|
|
|
|
/* This has to be non-fatal, since some servers offer
|
|
@@ -1280,7 +1271,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1288,7 +1279,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->user_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_USER_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1296,7 +1287,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->group_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_GROUP_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1304,7 +1295,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->netgroup_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_NETGROUP_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1312,7 +1303,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->host_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_HOST_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1320,7 +1311,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->sudo_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_SUDO_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1328,7 +1319,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->service_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_SERVICE_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1336,7 +1327,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->autofs_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_AUTOFS_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1344,7 +1335,7 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->iphost_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_IPHOST_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
@@ -1352,14 +1343,13 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
if (!sdom->ipnetwork_search_bases) {
|
|
ret = sdap_set_search_base(opts, sdom,
|
|
SDAP_IPNETWORK_SEARCH_BASE,
|
|
- naming_context);
|
|
+ sdom->naming_context);
|
|
if (ret != EOK) goto done;
|
|
}
|
|
|
|
ret = EOK;
|
|
|
|
done:
|
|
- talloc_free(naming_context);
|
|
return ret;
|
|
}
|
|
|
|
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
|
index 161bc5c26..103d50ed4 100644
|
|
--- a/src/providers/ldap/sdap.h
|
|
+++ b/src/providers/ldap/sdap.h
|
|
@@ -454,6 +454,17 @@ struct sdap_domain {
|
|
|
|
char *basedn;
|
|
|
|
+ /* The naming_context could be a more reliable source than basedn for the
|
|
+ * actual base DN because basedn is set very early from the domain name
|
|
+ * given in sssd.conf. Although it is recommended to use the fully
|
|
+ * qualified DNS domain name here it is not required. As a result basedn
|
|
+ * might not reflect the actual based DN of the LDAP server. Also pure
|
|
+ * LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
|
|
+ * the base DN which will not be based on the DNS domain of the LDAP
|
|
+ * server. naming_context might be NULL even after connection to an LDAP
|
|
+ * server. */
|
|
+ char *naming_context;
|
|
+
|
|
struct sdap_search_base **search_bases;
|
|
struct sdap_search_base **user_search_bases;
|
|
struct sdap_search_base **group_search_bases;
|
|
--
|
|
2.41.0
|
|
|