dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0006-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch

ced1f5
From c28d61203655dd41cd8eb69752e435d3241e63b2 Mon Sep 17 00:00:00 2001
ced1f5
From: Jakub Hrozek <jhrozek@redhat.com>
ced1f5
Date: Tue, 3 Oct 2017 12:34:49 +0200
ced1f5
Subject: [PATCH 06/21] SDAP: Allow the mpg flag for the main domain
ced1f5
MIME-Version: 1.0
ced1f5
Content-Type: text/plain; charset=UTF-8
ced1f5
Content-Transfer-Encoding: 8bit
ced1f5
ced1f5
This commit allows saving the users in the MPG domain in the SDAP
ced1f5
layer.
ced1f5
ced1f5
The commit contains the following changes:
ced1f5
    - abstracts the change where if the primary GID exists in the original
ced1f5
      object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute,
ced1f5
      which will allow the original primary GID to be exposed as a
ced1f5
      secondary group
ced1f5
ced1f5
    - if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM
ced1f5
      is added. This will allow to handle LDAP objects that only contain
ced1f5
      the UID but no GID. Since this is a new use-case, a test is added
ced1f5
      later
ced1f5
ced1f5
    - a branch that handles the above is added to sdap_save_user() also
ced1f5
      for joined domains that set the MPG flag. Previously, only
ced1f5
      subdomains were handled.
ced1f5
ced1f5
    - to allow passing GID=0 to the sysdb layer, the range check is
ced1f5
      relaxed.
ced1f5
ced1f5
Related:
ced1f5
    https://pagure.io/SSSD/sssd/issue/1872
ced1f5
ced1f5
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
ced1f5
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
ced1f5
(cherry picked from commit cdb74b2cc6cc3fe52969712907c9eb4026c7a44f)
ced1f5
---
ced1f5
 src/providers/ldap/sdap_async_users.c | 83 +++++++++++++++++++++++++++++++----
ced1f5
 1 file changed, 75 insertions(+), 8 deletions(-)
ced1f5
ced1f5
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
ced1f5
index 09d096e84cac6c9d52bcde0e1587c47dbd88b504..7338b4a15694b1d0a16723990130a23a7280af5f 100644
ced1f5
--- a/src/providers/ldap/sdap_async_users.c
ced1f5
+++ b/src/providers/ldap/sdap_async_users.c
ced1f5
@@ -136,6 +136,38 @@ static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,
ced1f5
     return EOK;
ced1f5
 }
ced1f5
 
ced1f5
+static int sdap_user_set_mpg(struct sysdb_attrs *user_attrs,
ced1f5
+                             gid_t *_gid)
ced1f5
+{
ced1f5
+    errno_t ret;
ced1f5
+
ced1f5
+    if (_gid == NULL) {
ced1f5
+        return EINVAL;
ced1f5
+    }
ced1f5
+
ced1f5
+    if (*_gid == 0) {
ced1f5
+        /* The original entry had no GID number. This is OK, we just won't add
ced1f5
+         * the SYSDB_PRIMARY_GROUP_GIDNUM attribute
ced1f5
+         */
ced1f5
+        return EOK;
ced1f5
+    }
ced1f5
+
ced1f5
+    ret = sysdb_attrs_add_uint32(user_attrs,
ced1f5
+                                 SYSDB_PRIMARY_GROUP_GIDNUM,
ced1f5
+                                 (uint32_t) *_gid);
ced1f5
+    if (ret != EOK) {
ced1f5
+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
ced1f5
+        return ret;
ced1f5
+    }
ced1f5
+
ced1f5
+    /* We won't really store gidNumber=0, but the zero value tells
ced1f5
+     * the sysdb layer that no GID is set, which sysdb requires for
ced1f5
+     * MPG-enabled domains
ced1f5
+     */
ced1f5
+    *_gid = 0;
ced1f5
+    return EOK;
ced1f5
+}
ced1f5
+
ced1f5
 /* FIXME: support storing additional attributes */
ced1f5
 int sdap_save_user(TALLOC_CTX *memctx,
ced1f5
                    struct sdap_options *opts,
ced1f5
@@ -357,7 +389,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
ced1f5
             goto done;
ced1f5
         }
ced1f5
 
ced1f5
-        if (IS_SUBDOMAIN(dom)) {
ced1f5
+        if (IS_SUBDOMAIN(dom) || dom->mpg == true) {
ced1f5
             /* For subdomain users, only create the private group as
ced1f5
              * the subdomain is an MPG domain.
ced1f5
              * But we have to save the GID of the original primary group
ced1f5
@@ -365,14 +397,13 @@ int sdap_save_user(TALLOC_CTX *memctx,
ced1f5
              * typically (Unix and AD) the user is not listed in his primary
ced1f5
              * group as a member.
ced1f5
              */
ced1f5
-            ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
ced1f5
-                                         (uint32_t) gid);
ced1f5
+            ret = sdap_user_set_mpg(user_attrs, &gid;;
ced1f5
             if (ret != EOK) {
ced1f5
-                DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
ced1f5
+                DEBUG(SSSDBG_OP_FAILURE,
ced1f5
+                      "sdap_user_set_mpg failed [%d]: %s\n", ret,
ced1f5
+                      sss_strerror(ret));
ced1f5
                 goto done;
ced1f5
             }
ced1f5
-
ced1f5
-            gid = 0;
ced1f5
         }
ced1f5
 
ced1f5
         /* Store the GID in the ldap_attrs so it doesn't get
ced1f5
@@ -380,6 +411,41 @@ int sdap_save_user(TALLOC_CTX *memctx,
ced1f5
         */
ced1f5
         ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid);
ced1f5
         if (ret != EOK) goto done;
ced1f5
+    } else if (dom->mpg) {
ced1f5
+        /* Likewise, if a domain is set to contain 'magic private groups', do
ced1f5
+         * not process the real GID, but save it in the cache as originalGID
ced1f5
+         * (if available)
ced1f5
+         */
ced1f5
+        ret = sysdb_attrs_get_uint32_t(attrs,
ced1f5
+                                       opts->user_map[SDAP_AT_USER_GID].sys_name,
ced1f5
+                                       &gid;;
ced1f5
+        if (ret == ENOENT) {
ced1f5
+            DEBUG(SSSDBG_TRACE_LIBS,
ced1f5
+                  "Missing GID, won't save the %s attribute\n",
ced1f5
+                  SYSDB_PRIMARY_GROUP_GIDNUM);
ced1f5
+
ced1f5
+            /* Store the UID as GID (since we're in a MPG domain so that it doesn't
ced1f5
+             * get treated as a missing attribute and removed
ced1f5
+             */
ced1f5
+            ret = sdap_replace_id(attrs, SYSDB_GIDNUM, uid);
ced1f5
+            if (ret) {
ced1f5
+                DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n");
ced1f5
+                goto done;
ced1f5
+            }
ced1f5
+            gid = 0;
ced1f5
+        } else if (ret != EOK) {
ced1f5
+            DEBUG(SSSDBG_MINOR_FAILURE,
ced1f5
+                  "Cannot retrieve GID, won't save the %s attribute\n",
ced1f5
+                  SYSDB_PRIMARY_GROUP_GIDNUM);
ced1f5
+            gid = 0;
ced1f5
+        }
ced1f5
+
ced1f5
+        ret = sdap_user_set_mpg(user_attrs, &gid;;
ced1f5
+        if (ret != EOK) {
ced1f5
+            DEBUG(SSSDBG_OP_FAILURE,
ced1f5
+                  "sdap_user_set_mpg failed [%d]: %s\n", ret, sss_strerror(ret));
ced1f5
+            goto done;
ced1f5
+        }
ced1f5
     } else {
ced1f5
         ret = sysdb_attrs_get_uint32_t(attrs,
ced1f5
                                        opts->user_map[SDAP_AT_USER_GID].sys_name,
ced1f5
@@ -403,8 +469,9 @@ int sdap_save_user(TALLOC_CTX *memctx,
ced1f5
     }
ced1f5
 
ced1f5
     /* check that the gid is valid for this domain */
ced1f5
-    if (is_posix == true && IS_SUBDOMAIN(dom) == false &&
ced1f5
-            OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
ced1f5
+    if (is_posix == true && IS_SUBDOMAIN(dom) == false
ced1f5
+            && dom->mpg == false
ced1f5
+            && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
ced1f5
         DEBUG(SSSDBG_CRIT_FAILURE,
ced1f5
               "User [%s] filtered out! (primary gid out of range)\n",
ced1f5
                user_name);
ced1f5
-- 
ced1f5
2.13.5
ced1f5