dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0006-SDAP-Allow-the-mpg-flag-for-the-main-domain.patch

9f2ebf
From c28d61203655dd41cd8eb69752e435d3241e63b2 Mon Sep 17 00:00:00 2001
9f2ebf
From: Jakub Hrozek <jhrozek@redhat.com>
9f2ebf
Date: Tue, 3 Oct 2017 12:34:49 +0200
9f2ebf
Subject: [PATCH 06/21] SDAP: Allow the mpg flag for the main domain
9f2ebf
MIME-Version: 1.0
9f2ebf
Content-Type: text/plain; charset=UTF-8
9f2ebf
Content-Transfer-Encoding: 8bit
9f2ebf
9f2ebf
This commit allows saving the users in the MPG domain in the SDAP
9f2ebf
layer.
9f2ebf
9f2ebf
The commit contains the following changes:
9f2ebf
    - abstracts the change where if the primary GID exists in the original
9f2ebf
      object, it is saved instead as the SYSDB_PRIMARY_GROUP_GIDNUM attribute,
9f2ebf
      which will allow the original primary GID to be exposed as a
9f2ebf
      secondary group
9f2ebf
9f2ebf
    - if the primary GID does not exist, no SYSDB_PRIMARY_GROUP_GIDNUM
9f2ebf
      is added. This will allow to handle LDAP objects that only contain
9f2ebf
      the UID but no GID. Since this is a new use-case, a test is added
9f2ebf
      later
9f2ebf
9f2ebf
    - a branch that handles the above is added to sdap_save_user() also
9f2ebf
      for joined domains that set the MPG flag. Previously, only
9f2ebf
      subdomains were handled.
9f2ebf
9f2ebf
    - to allow passing GID=0 to the sysdb layer, the range check is
9f2ebf
      relaxed.
9f2ebf
9f2ebf
Related:
9f2ebf
    https://pagure.io/SSSD/sssd/issue/1872
9f2ebf
9f2ebf
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
9f2ebf
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
9f2ebf
(cherry picked from commit cdb74b2cc6cc3fe52969712907c9eb4026c7a44f)
9f2ebf
---
9f2ebf
 src/providers/ldap/sdap_async_users.c | 83 +++++++++++++++++++++++++++++++----
9f2ebf
 1 file changed, 75 insertions(+), 8 deletions(-)
9f2ebf
9f2ebf
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
9f2ebf
index 09d096e84cac6c9d52bcde0e1587c47dbd88b504..7338b4a15694b1d0a16723990130a23a7280af5f 100644
9f2ebf
--- a/src/providers/ldap/sdap_async_users.c
9f2ebf
+++ b/src/providers/ldap/sdap_async_users.c
9f2ebf
@@ -136,6 +136,38 @@ static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,
9f2ebf
     return EOK;
9f2ebf
 }
9f2ebf
 
9f2ebf
+static int sdap_user_set_mpg(struct sysdb_attrs *user_attrs,
9f2ebf
+                             gid_t *_gid)
9f2ebf
+{
9f2ebf
+    errno_t ret;
9f2ebf
+
9f2ebf
+    if (_gid == NULL) {
9f2ebf
+        return EINVAL;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    if (*_gid == 0) {
9f2ebf
+        /* The original entry had no GID number. This is OK, we just won't add
9f2ebf
+         * the SYSDB_PRIMARY_GROUP_GIDNUM attribute
9f2ebf
+         */
9f2ebf
+        return EOK;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    ret = sysdb_attrs_add_uint32(user_attrs,
9f2ebf
+                                 SYSDB_PRIMARY_GROUP_GIDNUM,
9f2ebf
+                                 (uint32_t) *_gid);
9f2ebf
+    if (ret != EOK) {
9f2ebf
+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
9f2ebf
+        return ret;
9f2ebf
+    }
9f2ebf
+
9f2ebf
+    /* We won't really store gidNumber=0, but the zero value tells
9f2ebf
+     * the sysdb layer that no GID is set, which sysdb requires for
9f2ebf
+     * MPG-enabled domains
9f2ebf
+     */
9f2ebf
+    *_gid = 0;
9f2ebf
+    return EOK;
9f2ebf
+}
9f2ebf
+
9f2ebf
 /* FIXME: support storing additional attributes */
9f2ebf
 int sdap_save_user(TALLOC_CTX *memctx,
9f2ebf
                    struct sdap_options *opts,
9f2ebf
@@ -357,7 +389,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
9f2ebf
             goto done;
9f2ebf
         }
9f2ebf
 
9f2ebf
-        if (IS_SUBDOMAIN(dom)) {
9f2ebf
+        if (IS_SUBDOMAIN(dom) || dom->mpg == true) {
9f2ebf
             /* For subdomain users, only create the private group as
9f2ebf
              * the subdomain is an MPG domain.
9f2ebf
              * But we have to save the GID of the original primary group
9f2ebf
@@ -365,14 +397,13 @@ int sdap_save_user(TALLOC_CTX *memctx,
9f2ebf
              * typically (Unix and AD) the user is not listed in his primary
9f2ebf
              * group as a member.
9f2ebf
              */
9f2ebf
-            ret = sysdb_attrs_add_uint32(user_attrs, SYSDB_PRIMARY_GROUP_GIDNUM,
9f2ebf
-                                         (uint32_t) gid);
9f2ebf
+            ret = sdap_user_set_mpg(user_attrs, &gid;;
9f2ebf
             if (ret != EOK) {
9f2ebf
-                DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n");
9f2ebf
+                DEBUG(SSSDBG_OP_FAILURE,
9f2ebf
+                      "sdap_user_set_mpg failed [%d]: %s\n", ret,
9f2ebf
+                      sss_strerror(ret));
9f2ebf
                 goto done;
9f2ebf
             }
9f2ebf
-
9f2ebf
-            gid = 0;
9f2ebf
         }
9f2ebf
 
9f2ebf
         /* Store the GID in the ldap_attrs so it doesn't get
9f2ebf
@@ -380,6 +411,41 @@ int sdap_save_user(TALLOC_CTX *memctx,
9f2ebf
         */
9f2ebf
         ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid);
9f2ebf
         if (ret != EOK) goto done;
9f2ebf
+    } else if (dom->mpg) {
9f2ebf
+        /* Likewise, if a domain is set to contain 'magic private groups', do
9f2ebf
+         * not process the real GID, but save it in the cache as originalGID
9f2ebf
+         * (if available)
9f2ebf
+         */
9f2ebf
+        ret = sysdb_attrs_get_uint32_t(attrs,
9f2ebf
+                                       opts->user_map[SDAP_AT_USER_GID].sys_name,
9f2ebf
+                                       &gid;;
9f2ebf
+        if (ret == ENOENT) {
9f2ebf
+            DEBUG(SSSDBG_TRACE_LIBS,
9f2ebf
+                  "Missing GID, won't save the %s attribute\n",
9f2ebf
+                  SYSDB_PRIMARY_GROUP_GIDNUM);
9f2ebf
+
9f2ebf
+            /* Store the UID as GID (since we're in a MPG domain so that it doesn't
9f2ebf
+             * get treated as a missing attribute and removed
9f2ebf
+             */
9f2ebf
+            ret = sdap_replace_id(attrs, SYSDB_GIDNUM, uid);
9f2ebf
+            if (ret) {
9f2ebf
+                DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n");
9f2ebf
+                goto done;
9f2ebf
+            }
9f2ebf
+            gid = 0;
9f2ebf
+        } else if (ret != EOK) {
9f2ebf
+            DEBUG(SSSDBG_MINOR_FAILURE,
9f2ebf
+                  "Cannot retrieve GID, won't save the %s attribute\n",
9f2ebf
+                  SYSDB_PRIMARY_GROUP_GIDNUM);
9f2ebf
+            gid = 0;
9f2ebf
+        }
9f2ebf
+
9f2ebf
+        ret = sdap_user_set_mpg(user_attrs, &gid;;
9f2ebf
+        if (ret != EOK) {
9f2ebf
+            DEBUG(SSSDBG_OP_FAILURE,
9f2ebf
+                  "sdap_user_set_mpg failed [%d]: %s\n", ret, sss_strerror(ret));
9f2ebf
+            goto done;
9f2ebf
+        }
9f2ebf
     } else {
9f2ebf
         ret = sysdb_attrs_get_uint32_t(attrs,
9f2ebf
                                        opts->user_map[SDAP_AT_USER_GID].sys_name,
9f2ebf
@@ -403,8 +469,9 @@ int sdap_save_user(TALLOC_CTX *memctx,
9f2ebf
     }
9f2ebf
 
9f2ebf
     /* check that the gid is valid for this domain */
9f2ebf
-    if (is_posix == true && IS_SUBDOMAIN(dom) == false &&
9f2ebf
-            OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
9f2ebf
+    if (is_posix == true && IS_SUBDOMAIN(dom) == false
9f2ebf
+            && dom->mpg == false
9f2ebf
+            && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
9f2ebf
         DEBUG(SSSDBG_CRIT_FAILURE,
9f2ebf
               "User [%s] filtered out! (primary gid out of range)\n",
9f2ebf
                user_name);
9f2ebf
-- 
9f2ebf
2.13.5
9f2ebf