rpms/sssd
6
0
Fork 0
Code Issues Pull Requests Releases Activity
e8905f5363
sssd/0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
Stephen Gallagher e8905f5363 Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for 
new LDAP features - fix netgroups and sudo as well
2012-02-04 20:20:10 -05:00

255 lines
9.3 KiB
Diff
Raw Blame History

From cd59e5d02ec97ea309fd51d4d6a6a4421617cd12 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 1 Feb 2012 14:03:36 -0500
Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search
bases
https://fedorahosted.org/sssd/ticket/1152
Conflicts:
src/providers/ldap/sdap_async_services.c
---
src/providers/ipa/ipa_netgroups.c | 7 +++++
src/providers/ldap/ldap_common.c | 5 +--
src/providers/ldap/sdap.c | 7 ++++-
src/providers/ldap/sdap_async_groups.c | 9 +++++++
src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++-
src/providers/ldap/sdap_async_netgroups.c | 10 ++++++++
src/providers/ldap/sdap_async_users.c | 9 +++++++
src/providers/ldap/sdap_sudo.c | 9 +++++++
8 files changed, 86 insertions(+), 5 deletions(-)
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 78bcee1b44fec3c8d04fc5ba13b46db26396d1b1..7da1147c7d6fd1dec8872209e442ae99ee810aa1 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx,
state->base_filter = filter;
state->netgr_base_iter = 0;
+ if (!ipa_options->id->netgroup_search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Netgroup lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sss_hash_create(state, 32, &state->new_netgroups);
if (ret != EOK) goto done;
ret = sss_hash_create(state, 32, &state->new_users);
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 71921963a768a9975eca6432025704e06f28a2b8..c287b345217befeb872b25521d80d601fc27f0c7 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -538,9 +538,8 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx,
dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE)));
}
} else {
- /* FIXME: try to discover it later */
- DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n"));
- return ENOENT;
+ DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later "
+ "connecting to the LDAP server.\n"));
}
ret = sdap_parse_search_base(opts, opts->basic,
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
index 3ca2e286146e1e88b1fd7abef341fa8c3aa699ad..2b29116949b2f8efae269a994a0f3da64a0ee612 100644
--- a/src/providers/ldap/sdap.c
+++ b/src/providers/ldap/sdap.c
@@ -748,7 +748,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
naming_context = get_naming_context(opts->basic, rootdse);
if (naming_context == NULL) {
DEBUG(1, ("get_naming_context failed.\n"));
- ret = EINVAL;
+
+ /* This has to be non-fatal, since some servers offer
+ * multiple namingContexts entries. We will just
+ * add NULL checks for the search bases in the lookups.
+ */
+ ret = EOK;
goto done;
}
}
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = search_bases;
+ if (!search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Group lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sdap_get_groups_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
state->name = talloc_strdup(state, name);
if (!state->name) {
talloc_zfree(req);
@@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
talloc_zfree(clean_name);
ret = sdap_initgr_rfc2307_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
@@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sss_hash_create(state, 32, &state->group_hash);
if (ret != EOK) {
talloc_free(req);
@@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send(
SDAP_SEARCH_TIMEOUT);
state->base_iter = 0;
state->search_bases = opts->group_search_bases;
-
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups nested lookup request "
+ "without a group search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
ret = rfc2307bis_nested_groups_step(req);
+
+done:
if (ret == EOK) {
/* All parent groups were already processed */
tevent_req_done(req);
@@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
state->user_base_iter = 0;
state->user_search_bases = id_ctx->opts->user_search_bases;
+ if (!state->user_search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Initgroups lookup request without a user search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
ret = sss_filter_sanitize(state, name, &clean_name);
if (ret != EOK) {
+ talloc_zfree(req);
return NULL;
}
@@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
ret = sdap_get_initgr_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
index 0888c7e2fcf03d0b133bcf93ad017086aedffe16..f3a378f6488cfd46001c22b3a5abf29724f2fd0d 100644
--- a/src/providers/ldap/sdap_async_netgroups.c
+++ b/src/providers/ldap/sdap_async_netgroups.c
@@ -579,7 +579,17 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx,
state->base_iter = 0;
state->search_bases = search_bases;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Netgroup lookup request without a netgroup search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
+
ret = sdap_get_netgroups_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, state->ev);
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
state->search_bases = search_bases;
state->enumeration = enumeration;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("User lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
ret = sdap_get_users_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, state->ev);
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 68cb47cd38952594d34ccc81913b7308caf9af10..aeae22eccf2a9adf3fb2fde831a3b492a6c4afb7 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -237,6 +237,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
state->ldap_rules = NULL;
state->ldap_rules_count = 0;
+ if (!state->search_bases) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("SUDOERS lookup request without a search base\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
/* create filter */
state->filter = sdap_sudo_build_filter(state,
state->opts->sudorule_map,
@@ -256,6 +263,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
/* begin search */
ret = sdap_sudo_load_sudoers_next_base(req);
+
+done:
if (ret != EOK) {
tevent_req_error(req, ret);
tevent_req_post(req, sudo_ctx->be_ctx->ev);
--
1.7.7.6
Reference in New Issue View Git Blame Copy Permalink