|
|
ced1f5 |
From c28d61203655dd41cd8eb69752e435d3241e63b2 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ced1f5 |
Date: Tue, 3 Oct 2017 12:34:49 +0200
|
|
|
ced1f5 |
Subject: [PATCH 06/21] SDAP: Allow the mpg flag for the main domain
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
This commit allows saving the users in the MPG domain in the SDAP
|
|
|
ced1f5 |
layer.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
The commit contains the following changes:
|
|
|
ced1f5 |
- abstracts the change where if the primary GID exists in the original
|
|
|
ced1f5 |
object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute,
|
|
|
ced1f5 |
which will allow the original primary GID to be exposed as a
|
|
|
ced1f5 |
secondary group
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM
|
|
|
ced1f5 |
is added. This will allow to handle LDAP objects that only contain
|
|
|
ced1f5 |
the UID but no GID. Since this is a new use-case, a test is added
|
|
|
ced1f5 |
later
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- a branch that handles the above is added to sdap_save_user() also
|
|
|
ced1f5 |
for joined domains that set the MPG flag. Previously, only
|
|
|
ced1f5 |
subdomains were handled.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- to allow passing GID=0 to the sysdb layer, the range check is
|
|
|
ced1f5 |
relaxed.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Related:
|
|
|
ced1f5 |
https://pagure.io/SSSD/sssd/issue/1872
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
ced1f5 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit cdb74b2cc6cc3fe52969712907c9eb4026c7a44f)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ldap/sdap_async_users.c | 83 +++++++++++++++++++++++++++++++----
|
|
|
ced1f5 |
1 file changed, 75 insertions(+), 8 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
|
|
|
ced1f5 |
index 09d096e84cac6c9d52bcde0e1587c47dbd88b504..7338b4a15694b1d0a16723990130a23a7280af5f 100644
|
|
|
ced1f5 |
--- a/src/providers/ldap/sdap_async_users.c
|
|
|
ced1f5 |
+++ b/src/providers/ldap/sdap_async_users.c
|
|
|
ced1f5 |
@@ -136,6 +136,38 @@ static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,
|
|
|
ced1f5 |
return EOK;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
+static int sdap_user_set_mpg(struct sysdb_attrs *user_attrs,
|
|
|
ced1f5 |
+ gid_t *_gid)
|
|
|
ced1f5 |
+{
|
|
|
ced1f5 |
+ errno_t ret;
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ if (_gid == NULL) {
|
|
|
ced1f5 |
+ return EINVAL;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ if (*_gid == 0) {
|
|
|
ced1f5 |
+ /* The original entry had no GID number. This is OK, we just won't add
|
|
|
ced1f5 |
+ * the SYSDB_PRIMARY_GROUP_GIDNUM attribute
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ return EOK;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ ret = sysdb_attrs_add_uint32(user_attrs,
|
|
|
ced1f5 |
+ SYSDB_PRIMARY_GROUP_GIDNUM,
|
|
|
ced1f5 |
+ (uint32_t) *_gid);
|
|
|
ced1f5 |
+ if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
|
|
|
ced1f5 |
+ return ret;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ /* We won't really store gidNumber=0, but the zero value tells
|
|
|
ced1f5 |
+ * the sysdb layer that no GID is set, which sysdb requires for
|
|
|
ced1f5 |
+ * MPG-enabled domains
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ *_gid = 0;
|
|
|
ced1f5 |
+ return EOK;
|
|
|
ced1f5 |
+}
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
/* FIXME: support storing additional attributes */
|
|
|
ced1f5 |
int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
struct sdap_options *opts,
|
|
|
ced1f5 |
@@ -357,7 +389,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- if (IS_SUBDOMAIN(dom)) {
|
|
|
ced1f5 |
+ if (IS_SUBDOMAIN(dom) || dom->mpg == true) {
|
|
|
ced1f5 |
/* For subdomain users, only create the private group as
|
|
|
ced1f5 |
* the subdomain is an MPG domain.
|
|
|
ced1f5 |
* But we have to save the GID of the original primary group
|
|
|
ced1f5 |
@@ -365,14 +397,13 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
* typically (Unix and AD) the user is not listed in his primary
|
|
|
ced1f5 |
* group as a member.
|
|
|
ced1f5 |
*/
|
|
|
ced1f5 |
- ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
|
|
|
ced1f5 |
- (uint32_t) gid);
|
|
|
ced1f5 |
+ ret = sdap_user_set_mpg(user_attrs, &gid;;
|
|
|
ced1f5 |
if (ret != EOK) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
+ "sdap_user_set_mpg failed [%d]: %s\n", ret,
|
|
|
ced1f5 |
+ sss_strerror(ret));
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
-
|
|
|
ced1f5 |
- gid = 0;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
/* Store the GID in the ldap_attrs so it doesn't get
|
|
|
ced1f5 |
@@ -380,6 +411,41 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
*/
|
|
|
ced1f5 |
ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid);
|
|
|
ced1f5 |
if (ret != EOK) goto done;
|
|
|
ced1f5 |
+ } else if (dom->mpg) {
|
|
|
ced1f5 |
+ /* Likewise, if a domain is set to contain 'magic private groups', do
|
|
|
ced1f5 |
+ * not process the real GID, but save it in the cache as originalGID
|
|
|
ced1f5 |
+ * (if available)
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ ret = sysdb_attrs_get_uint32_t(attrs,
|
|
|
ced1f5 |
+ opts->user_map[SDAP_AT_USER_GID].sys_name,
|
|
|
ced1f5 |
+ &gid;;
|
|
|
ced1f5 |
+ if (ret == ENOENT) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_TRACE_LIBS,
|
|
|
ced1f5 |
+ "Missing GID, won't save the %s attribute\n",
|
|
|
ced1f5 |
+ SYSDB_PRIMARY_GROUP_GIDNUM);
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ /* Store the UID as GID (since we're in a MPG domain so that it doesn't
|
|
|
ced1f5 |
+ * get treated as a missing attribute and removed
|
|
|
ced1f5 |
+ */
|
|
|
ced1f5 |
+ ret = sdap_replace_id(attrs, SYSDB_GIDNUM, uid);
|
|
|
ced1f5 |
+ if (ret) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n");
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+ gid = 0;
|
|
|
ced1f5 |
+ } else if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
ced1f5 |
+ "Cannot retrieve GID, won't save the %s attribute\n",
|
|
|
ced1f5 |
+ SYSDB_PRIMARY_GROUP_GIDNUM);
|
|
|
ced1f5 |
+ gid = 0;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ ret = sdap_user_set_mpg(user_attrs, &gid;;
|
|
|
ced1f5 |
+ if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ced1f5 |
+ "sdap_user_set_mpg failed [%d]: %s\n", ret, sss_strerror(ret));
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
} else {
|
|
|
ced1f5 |
ret = sysdb_attrs_get_uint32_t(attrs,
|
|
|
ced1f5 |
opts->user_map[SDAP_AT_USER_GID].sys_name,
|
|
|
ced1f5 |
@@ -403,8 +469,9 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
/* check that the gid is valid for this domain */
|
|
|
ced1f5 |
- if (is_posix == true && IS_SUBDOMAIN(dom) == false &&
|
|
|
ced1f5 |
- OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
|
|
|
ced1f5 |
+ if (is_posix == true && IS_SUBDOMAIN(dom) == false
|
|
|
ced1f5 |
+ && dom->mpg == false
|
|
|
ced1f5 |
+ && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
"User [%s] filtered out! (primary gid out of range)\n",
|
|
|
ced1f5 |
user_name);
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.13.5
|
|
|
ced1f5 |
|