|
 |
b2d430 |
From 11f6fcedb0ac04528dd319fcf95d1fbaa4ea8bd1 Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b2d430 |
Date: Thu, 7 Jul 2016 18:54:02 +0200
|
|
|
b2d430 |
Subject: [PATCH 48/62] views: properly override group member names
|
|
|
b2d430 |
|
|
|
b2d430 |
Resolves https://fedorahosted.org/sssd/ticket/2948
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
(cherry picked from commit 1594701fbdc341069e11cff9a85e7a795e52db3d)
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/db/sysdb.h | 3 +-
|
|
|
b2d430 |
src/db/sysdb_search.c | 99 ++++++++++++++++-------------
|
|
|
b2d430 |
src/db/sysdb_views.c | 136 ++++++++++++++++++----------------------
|
|
|
b2d430 |
src/responder/nss/nsssrv_cmd.c | 7 ++-
|
|
|
b2d430 |
src/tests/cmocka/test_nss_srv.c | 18 +++---
|
|
|
b2d430 |
5 files changed, 134 insertions(+), 129 deletions(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
|
b2d430 |
index 405f89e2f1ac6fabc06e77c345de8693845f9d92..a27552224bb40bd07c7dee4dfe35bfb7a0b4f2c3 100644
|
|
|
b2d430 |
--- a/src/db/sysdb.h
|
|
|
b2d430 |
+++ b/src/db/sysdb.h
|
|
|
b2d430 |
@@ -572,7 +572,8 @@ errno_t sysdb_add_overrides_to_object(struct sss_domain_info *domain,
|
|
|
b2d430 |
const char **req_attrs);
|
|
|
b2d430 |
|
|
|
b2d430 |
errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
- struct ldb_message *obj);
|
|
|
b2d430 |
+ struct ldb_message *obj,
|
|
|
b2d430 |
+ bool expect_override_dn);
|
|
|
b2d430 |
|
|
|
b2d430 |
errno_t sysdb_getpwnam_with_views(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
struct sss_domain_info *domain,
|
|
|
b2d430 |
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
|
|
|
b2d430 |
index e40b36c38e28992e185447497d1bf69cabc09821..cfee5784dbadd692f30d0758e7e5c3c9fb2814cb 100644
|
|
|
b2d430 |
--- a/src/db/sysdb_search.c
|
|
|
b2d430 |
+++ b/src/db/sysdb_search.c
|
|
|
b2d430 |
@@ -771,28 +771,33 @@ int sysdb_getgrnam_with_views(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
|
|
|
b2d430 |
/* If there are views we have to check if override values must be added to
|
|
|
b2d430 |
* the original object. */
|
|
|
b2d430 |
- if (DOM_HAS_VIEWS(domain) && orig_obj->count == 1) {
|
|
|
b2d430 |
- if (!is_local_view(domain->view_name)) {
|
|
|
b2d430 |
- el = ldb_msg_find_element(orig_obj->msgs[0], SYSDB_GHOST);
|
|
|
b2d430 |
- if (el != NULL && el->num_values != 0) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_TRACE_ALL, "Group object [%s], contains ghost "
|
|
|
b2d430 |
- "entries which must be resolved before overrides can be "
|
|
|
b2d430 |
- "applied.\n",
|
|
|
b2d430 |
- ldb_dn_get_linearized(orig_obj->msgs[0]->dn));
|
|
|
b2d430 |
- ret = ENOENT;
|
|
|
b2d430 |
+ if (orig_obj->count == 1) {
|
|
|
b2d430 |
+ if (DOM_HAS_VIEWS(domain)) {
|
|
|
b2d430 |
+ if (!is_local_view(domain->view_name)) {
|
|
|
b2d430 |
+ el = ldb_msg_find_element(orig_obj->msgs[0], SYSDB_GHOST);
|
|
|
b2d430 |
+ if (el != NULL && el->num_values != 0) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_TRACE_ALL, "Group object [%s], contains ghost "
|
|
|
b2d430 |
+ "entries which must be resolved before overrides can be "
|
|
|
b2d430 |
+ "applied.\n",
|
|
|
b2d430 |
+ ldb_dn_get_linearized(orig_obj->msgs[0]->dn));
|
|
|
b2d430 |
+ ret = ENOENT;
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ret = sysdb_add_overrides_to_object(domain, orig_obj->msgs[0],
|
|
|
b2d430 |
+ override_obj == NULL ? NULL : override_obj ->msgs[0],
|
|
|
b2d430 |
+ NULL);
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_overrides_to_object failed.\n");
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = sysdb_add_overrides_to_object(domain, orig_obj->msgs[0],
|
|
|
b2d430 |
- override_obj == NULL ? NULL : override_obj ->msgs[0],
|
|
|
b2d430 |
- NULL);
|
|
|
b2d430 |
- if (ret != EOK) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_overrides_to_object failed.\n");
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
-
|
|
|
b2d430 |
- ret = sysdb_add_group_member_overrides(domain, orig_obj->msgs[0]);
|
|
|
b2d430 |
+ /* Must be called even without views to check to
|
|
|
b2d430 |
+ * SYSDB_DEFAULT_OVERRIDE_NAME */
|
|
|
b2d430 |
+ ret = sysdb_add_group_member_overrides(domain, orig_obj->msgs[0],
|
|
|
b2d430 |
+ DOM_HAS_VIEWS(domain));
|
|
|
b2d430 |
if (ret != EOK) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
"sysdb_add_group_member_overrides failed.\n");
|
|
|
b2d430 |
@@ -922,28 +927,33 @@ int sysdb_getgrgid_with_views(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
|
|
|
b2d430 |
/* If there are views we have to check if override values must be added to
|
|
|
b2d430 |
* the original object. */
|
|
|
b2d430 |
- if (DOM_HAS_VIEWS(domain) && orig_obj->count == 1) {
|
|
|
b2d430 |
- if (!is_local_view(domain->view_name)) {
|
|
|
b2d430 |
- el = ldb_msg_find_element(orig_obj->msgs[0], SYSDB_GHOST);
|
|
|
b2d430 |
- if (el != NULL && el->num_values != 0) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_TRACE_ALL, "Group object [%s], contains ghost "
|
|
|
b2d430 |
- "entries which must be resolved before overrides can be "
|
|
|
b2d430 |
- "applied.\n",
|
|
|
b2d430 |
- ldb_dn_get_linearized(orig_obj->msgs[0]->dn));
|
|
|
b2d430 |
- ret = ENOENT;
|
|
|
b2d430 |
+ if (orig_obj->count == 1) {
|
|
|
b2d430 |
+ if (DOM_HAS_VIEWS(domain)) {
|
|
|
b2d430 |
+ if (!is_local_view(domain->view_name)) {
|
|
|
b2d430 |
+ el = ldb_msg_find_element(orig_obj->msgs[0], SYSDB_GHOST);
|
|
|
b2d430 |
+ if (el != NULL && el->num_values != 0) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_TRACE_ALL, "Group object [%s], contains ghost "
|
|
|
b2d430 |
+ "entries which must be resolved before overrides can be "
|
|
|
b2d430 |
+ "applied.\n",
|
|
|
b2d430 |
+ ldb_dn_get_linearized(orig_obj->msgs[0]->dn));
|
|
|
b2d430 |
+ ret = ENOENT;
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ret = sysdb_add_overrides_to_object(domain, orig_obj->msgs[0],
|
|
|
b2d430 |
+ override_obj == NULL ? NULL : override_obj ->msgs[0],
|
|
|
b2d430 |
+ NULL);
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_overrides_to_object failed.\n");
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = sysdb_add_overrides_to_object(domain, orig_obj->msgs[0],
|
|
|
b2d430 |
- override_obj == NULL ? NULL : override_obj ->msgs[0],
|
|
|
b2d430 |
- NULL);
|
|
|
b2d430 |
- if (ret != EOK) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_overrides_to_object failed.\n");
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
-
|
|
|
b2d430 |
- ret = sysdb_add_group_member_overrides(domain, orig_obj->msgs[0]);
|
|
|
b2d430 |
+ /* Must be called even without views to check to
|
|
|
b2d430 |
+ * SYSDB_DEFAULT_OVERRIDE_NAME */
|
|
|
b2d430 |
+ ret = sysdb_add_group_member_overrides(domain, orig_obj->msgs[0],
|
|
|
b2d430 |
+ DOM_HAS_VIEWS(domain));
|
|
|
b2d430 |
if (ret != EOK) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
"sysdb_add_group_member_overrides failed.\n");
|
|
|
b2d430 |
@@ -1157,8 +1167,8 @@ int sysdb_enumgrent_filter_with_views(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- if (DOM_HAS_VIEWS(domain)) {
|
|
|
b2d430 |
- for (c = 0; c < res->count; c++) {
|
|
|
b2d430 |
+ for (c = 0; c < res->count; c++) {
|
|
|
b2d430 |
+ if (DOM_HAS_VIEWS(domain)) {
|
|
|
b2d430 |
ret = sysdb_add_overrides_to_object(domain, res->msgs[c], NULL,
|
|
|
b2d430 |
NULL);
|
|
|
b2d430 |
/* enumeration assumes that the cache is up-to-date, hence we do not
|
|
|
b2d430 |
@@ -1167,13 +1177,14 @@ int sysdb_enumgrent_filter_with_views(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_overrides_to_object failed.\n");
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = sysdb_add_group_member_overrides(domain, res->msgs[c]);
|
|
|
b2d430 |
- if (ret != EOK) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
- "sysdb_add_group_member_overrides failed.\n");
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
+ ret = sysdb_add_group_member_overrides(domain, res->msgs[c],
|
|
|
b2d430 |
+ DOM_HAS_VIEWS(domain));
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
+ "sysdb_add_group_member_overrides failed.\n");
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
|
|
|
b2d430 |
index 2b89e5ca41f719e1217ef3b9e0fd683656e05d42..79f513d13ba41212a6cd84e1d9e609df6acba29c 100644
|
|
|
b2d430 |
--- a/src/db/sysdb_views.c
|
|
|
b2d430 |
+++ b/src/db/sysdb_views.c
|
|
|
b2d430 |
@@ -1348,14 +1348,13 @@ done:
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
- struct ldb_message *obj)
|
|
|
b2d430 |
+ struct ldb_message *obj,
|
|
|
b2d430 |
+ bool expect_override_dn)
|
|
|
b2d430 |
{
|
|
|
b2d430 |
int ret;
|
|
|
b2d430 |
size_t c;
|
|
|
b2d430 |
- struct ldb_message_element *members;
|
|
|
b2d430 |
+ struct ldb_result *res_members;
|
|
|
b2d430 |
TALLOC_CTX *tmp_ctx;
|
|
|
b2d430 |
- struct ldb_dn *member_dn;
|
|
|
b2d430 |
- struct ldb_result *member_obj;
|
|
|
b2d430 |
struct ldb_result *override_obj;
|
|
|
b2d430 |
static const char *member_attrs[] = SYSDB_PW_ATTRS;
|
|
|
b2d430 |
const char *override_dn_str;
|
|
|
b2d430 |
@@ -1366,12 +1365,6 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
char *val;
|
|
|
b2d430 |
struct sss_domain_info *orig_dom;
|
|
|
b2d430 |
|
|
|
b2d430 |
- members = ldb_msg_find_element(obj, SYSDB_MEMBER);
|
|
|
b2d430 |
- if (members == NULL || members->num_values == 0) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_TRACE_ALL, "Group has no members.\n");
|
|
|
b2d430 |
- return EOK;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
-
|
|
|
b2d430 |
tmp_ctx = talloc_new(NULL);
|
|
|
b2d430 |
if (tmp_ctx == NULL) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
|
|
|
b2d430 |
@@ -1379,38 +1372,30 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- for (c = 0; c < members->num_values; c++) {
|
|
|
b2d430 |
- member_dn = ldb_dn_from_ldb_val(tmp_ctx, domain->sysdb->ldb,
|
|
|
b2d430 |
- &members->values[c]);
|
|
|
b2d430 |
- if (member_dn == NULL) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_from_ldb_val failed.\n");
|
|
|
b2d430 |
- ret = ENOMEM;
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
+ ret = sysdb_get_user_members_recursively(tmp_ctx, domain, obj->dn,
|
|
|
b2d430 |
+ &res_members);
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
+ "sysdb_get_user_members_recursively failed.\n");
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = ldb_search(domain->sysdb->ldb, member_dn, &member_obj, member_dn,
|
|
|
b2d430 |
- LDB_SCOPE_BASE, member_attrs, NULL);
|
|
|
b2d430 |
- if (ret != LDB_SUCCESS) {
|
|
|
b2d430 |
- ret = sysdb_error_to_errno(ret);
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
+ for (c = 0; c < res_members->count; c++) {
|
|
|
b2d430 |
|
|
|
b2d430 |
- if (member_obj->count != 1) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
- "Base search for member object returned [%d] results.\n",
|
|
|
b2d430 |
- member_obj->count);
|
|
|
b2d430 |
- ret = EINVAL;
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
-
|
|
|
b2d430 |
- if (ldb_msg_find_attr_as_uint64(member_obj->msgs[0],
|
|
|
b2d430 |
+ if (ldb_msg_find_attr_as_uint64(res_members->msgs[c],
|
|
|
b2d430 |
SYSDB_UIDNUM, 0) == 0) {
|
|
|
b2d430 |
/* Skip non-POSIX-user members i.e. groups and non-POSIX users */
|
|
|
b2d430 |
continue;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- override_dn_str = ldb_msg_find_attr_as_string(member_obj->msgs[0],
|
|
|
b2d430 |
- SYSDB_OVERRIDE_DN, NULL);
|
|
|
b2d430 |
+ if (expect_override_dn) {
|
|
|
b2d430 |
+ override_dn_str = ldb_msg_find_attr_as_string(res_members->msgs[c],
|
|
|
b2d430 |
+ SYSDB_OVERRIDE_DN,
|
|
|
b2d430 |
+ NULL);
|
|
|
b2d430 |
+ } else {
|
|
|
b2d430 |
+ override_dn_str = ldb_dn_get_linearized(res_members->msgs[c]->dn);
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
if (override_dn_str == NULL) {
|
|
|
b2d430 |
if (is_local_view(domain->view_name)) {
|
|
|
b2d430 |
/* LOCAL view doesn't have to have overrideDN specified. */
|
|
|
b2d430 |
@@ -1420,12 +1405,12 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
|
|
|
b2d430 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
"Missing override DN for object [%s].\n",
|
|
|
b2d430 |
- ldb_dn_get_linearized(member_obj->msgs[0]->dn));
|
|
|
b2d430 |
+ ldb_dn_get_linearized(res_members->msgs[c]->dn));
|
|
|
b2d430 |
ret = ENOENT;
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- override_dn = ldb_dn_new(member_obj, domain->sysdb->ldb,
|
|
|
b2d430 |
+ override_dn = ldb_dn_new(res_members, domain->sysdb->ldb,
|
|
|
b2d430 |
override_dn_str);
|
|
|
b2d430 |
if (override_dn == NULL) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
|
|
|
b2d430 |
@@ -1433,22 +1418,27 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- orig_name = ldb_msg_find_attr_as_string(member_obj->msgs[0],
|
|
|
b2d430 |
+ orig_name = ldb_msg_find_attr_as_string(res_members->msgs[c],
|
|
|
b2d430 |
SYSDB_NAME,
|
|
|
b2d430 |
NULL);
|
|
|
b2d430 |
if (orig_name == NULL) {
|
|
|
b2d430 |
DEBUG(SSSDBG_CRIT_FAILURE, "Object [%s] has no name.\n",
|
|
|
b2d430 |
- ldb_dn_get_linearized(member_obj->msgs[0]->dn));
|
|
|
b2d430 |
+ ldb_dn_get_linearized(res_members->msgs[c]->dn));
|
|
|
b2d430 |
ret = EINVAL;
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
- memberuid = NULL;
|
|
|
b2d430 |
- if (ldb_dn_compare(member_obj->msgs[0]->dn, override_dn) != 0) {
|
|
|
b2d430 |
+ /* start with default view name, if it exists or use NULL */
|
|
|
b2d430 |
+ memberuid = ldb_msg_find_attr_as_string(res_members->msgs[c],
|
|
|
b2d430 |
+ SYSDB_DEFAULT_OVERRIDE_NAME,
|
|
|
b2d430 |
+ NULL);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ /* If there is an override object, check if the name is overridden */
|
|
|
b2d430 |
+ if (ldb_dn_compare(res_members->msgs[c]->dn, override_dn) != 0) {
|
|
|
b2d430 |
DEBUG(SSSDBG_TRACE_ALL, "Checking override for object [%s].\n",
|
|
|
b2d430 |
- ldb_dn_get_linearized(member_obj->msgs[0]->dn));
|
|
|
b2d430 |
+ ldb_dn_get_linearized(res_members->msgs[c]->dn));
|
|
|
b2d430 |
|
|
|
b2d430 |
- ret = ldb_search(domain->sysdb->ldb, member_obj, &override_obj,
|
|
|
b2d430 |
+ ret = ldb_search(domain->sysdb->ldb, res_members, &override_obj,
|
|
|
b2d430 |
override_dn, LDB_SCOPE_BASE, member_attrs, NULL);
|
|
|
b2d430 |
if (ret != LDB_SUCCESS) {
|
|
|
b2d430 |
ret = sysdb_error_to_errno(ret);
|
|
|
b2d430 |
@@ -1458,43 +1448,44 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
if (override_obj->count != 1) {
|
|
|
b2d430 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
"Base search for override object returned [%d] results.\n",
|
|
|
b2d430 |
- member_obj->count);
|
|
|
b2d430 |
+ override_obj->count);
|
|
|
b2d430 |
ret = EINVAL;
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
memberuid = ldb_msg_find_attr_as_string(override_obj->msgs[0],
|
|
|
b2d430 |
SYSDB_NAME,
|
|
|
b2d430 |
- NULL);
|
|
|
b2d430 |
+ memberuid);
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
|
|
|
b2d430 |
- if (memberuid != NULL) {
|
|
|
b2d430 |
- ret = sss_parse_internal_fqname(tmp_ctx, orig_name,
|
|
|
b2d430 |
- NULL, &orig_domain);
|
|
|
b2d430 |
- if (ret != EOK) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
- "sss_parse_internal_fqname failed to split [%s].\n",
|
|
|
b2d430 |
- orig_name);
|
|
|
b2d430 |
+ /* add domain name if memberuid is a short name */
|
|
|
b2d430 |
+ if (memberuid != NULL && strchr(memberuid, '@') == NULL) {
|
|
|
b2d430 |
+ ret = sss_parse_internal_fqname(tmp_ctx, orig_name,
|
|
|
b2d430 |
+ NULL, &orig_domain);
|
|
|
b2d430 |
+ if (ret != EOK) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
+ "sss_parse_internal_fqname failed to split [%s].\n",
|
|
|
b2d430 |
+ orig_name);
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ if (orig_domain != NULL) {
|
|
|
b2d430 |
+ orig_dom = find_domain_by_name(get_domains_head(domain),
|
|
|
b2d430 |
+ orig_domain, true);
|
|
|
b2d430 |
+ if (orig_dom == NULL) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
+ "Cannot find domain with name [%s].\n",
|
|
|
b2d430 |
+ orig_domain);
|
|
|
b2d430 |
+ ret = ERR_DOMAIN_NOT_FOUND;
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
-
|
|
|
b2d430 |
- if (orig_domain != NULL) {
|
|
|
b2d430 |
- orig_dom = find_domain_by_name(get_domains_head(domain),
|
|
|
b2d430 |
- orig_domain, true);
|
|
|
b2d430 |
- if (orig_dom == NULL) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
- "Cannot find domain with name [%s].\n",
|
|
|
b2d430 |
- orig_domain);
|
|
|
b2d430 |
- ret = ERR_DOMAIN_NOT_FOUND;
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
- memberuid = sss_create_internal_fqname(tmp_ctx, memberuid,
|
|
|
b2d430 |
- orig_dom->name);
|
|
|
b2d430 |
- if (memberuid == NULL) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
- "sss_create_internal_fqname failed.\n");
|
|
|
b2d430 |
- ret = ENOMEM;
|
|
|
b2d430 |
- goto done;
|
|
|
b2d430 |
- }
|
|
|
b2d430 |
+ memberuid = sss_create_internal_fqname(tmp_ctx, memberuid,
|
|
|
b2d430 |
+ orig_dom->name);
|
|
|
b2d430 |
+ if (memberuid == NULL) {
|
|
|
b2d430 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
b2d430 |
+ "sss_create_internal_fqname failed.\n");
|
|
|
b2d430 |
+ ret = ENOMEM;
|
|
|
b2d430 |
+ goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
}
|
|
|
b2d430 |
}
|
|
|
b2d430 |
@@ -1521,9 +1512,6 @@ errno_t sysdb_add_group_member_overrides(struct sss_domain_info *domain,
|
|
|
b2d430 |
DEBUG(SSSDBG_TRACE_ALL, "Added [%s] to [%s].\n", memberuid,
|
|
|
b2d430 |
OVERRIDE_PREFIX SYSDB_MEMBERUID);
|
|
|
b2d430 |
|
|
|
b2d430 |
- /* Free all temporary data of the current member to avoid memory usage
|
|
|
b2d430 |
- * spikes. All temporary data should be allocated below member_dn. */
|
|
|
b2d430 |
- talloc_free(member_dn);
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
ret = EOK;
|
|
|
b2d430 |
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
|
|
|
b2d430 |
index 1ae17969688fa29734ca14fd2b152decef1fdbca..4e84b3202cbf367e70a47a3c7edb06e357657538 100644
|
|
|
b2d430 |
--- a/src/responder/nss/nsssrv_cmd.c
|
|
|
b2d430 |
+++ b/src/responder/nss/nsssrv_cmd.c
|
|
|
b2d430 |
@@ -2976,7 +2976,12 @@ static int fill_grent(struct sss_packet *packet,
|
|
|
b2d430 |
|
|
|
b2d430 |
memnum = 0;
|
|
|
b2d430 |
if (!dom->ignore_group_members) {
|
|
|
b2d430 |
- el = sss_view_ldb_msg_find_element(dom, msg, SYSDB_MEMBERUID);
|
|
|
b2d430 |
+ /* unconditionally prefer OVERRIDE_PREFIX SYSDB_MEMBERUID, it
|
|
|
b2d430 |
+ * might contain override names from the default view */
|
|
|
b2d430 |
+ el = ldb_msg_find_element(msg, OVERRIDE_PREFIX SYSDB_MEMBERUID);
|
|
|
b2d430 |
+ if (el == NULL) {
|
|
|
b2d430 |
+ el = ldb_msg_find_element(msg, SYSDB_MEMBERUID);
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
if (el) {
|
|
|
b2d430 |
ret = fill_members(packet, nctx->rctx, dom, nctx, el,
|
|
|
b2d430 |
&rzero, &rsize, &memnum);
|
|
|
b2d430 |
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
|
|
b2d430 |
index 82a304feed864b09168d0f3e06a4e1bb120df7e4..41425e76f3b76fafa917f33fcfef0946f2f71c7d 100644
|
|
|
b2d430 |
--- a/src/tests/cmocka/test_nss_srv.c
|
|
|
b2d430 |
+++ b/src/tests/cmocka/test_nss_srv.c
|
|
|
b2d430 |
@@ -1619,11 +1619,11 @@ static int test_nss_getgrnam_check_mix_dom(uint32_t status,
|
|
|
b2d430 |
tmp_ctx = talloc_new(nss_test_ctx);
|
|
|
b2d430 |
assert_non_null(tmp_ctx);
|
|
|
b2d430 |
|
|
|
b2d430 |
- exp_members[0] = testmember1.pw_name;
|
|
|
b2d430 |
- exp_members[1] = testmember2.pw_name;
|
|
|
b2d430 |
- exp_members[2] = sss_tc_fqname(tmp_ctx, nss_test_ctx->subdom->names,
|
|
|
b2d430 |
+ exp_members[0] = sss_tc_fqname(tmp_ctx, nss_test_ctx->subdom->names,
|
|
|
b2d430 |
nss_test_ctx->subdom, submember1.pw_name);
|
|
|
b2d430 |
- assert_non_null(exp_members[2]);
|
|
|
b2d430 |
+ assert_non_null(exp_members[0]);
|
|
|
b2d430 |
+ exp_members[1] = testmember1.pw_name;
|
|
|
b2d430 |
+ exp_members[2] = testmember2.pw_name;
|
|
|
b2d430 |
|
|
|
b2d430 |
assert_int_equal(status, EOK);
|
|
|
b2d430 |
|
|
|
b2d430 |
@@ -1682,14 +1682,14 @@ static int test_nss_getgrnam_check_mix_dom_fqdn(uint32_t status,
|
|
|
b2d430 |
tmp_ctx = talloc_new(nss_test_ctx);
|
|
|
b2d430 |
assert_non_null(tmp_ctx);
|
|
|
b2d430 |
|
|
|
b2d430 |
- exp_members[0] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names,
|
|
|
b2d430 |
- nss_test_ctx->tctx->dom, testmember1.pw_name);
|
|
|
b2d430 |
+ exp_members[0] = sss_tc_fqname(tmp_ctx, nss_test_ctx->subdom->names,
|
|
|
b2d430 |
+ nss_test_ctx->subdom, submember1.pw_name);
|
|
|
b2d430 |
assert_non_null(exp_members[0]);
|
|
|
b2d430 |
exp_members[1] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names,
|
|
|
b2d430 |
- nss_test_ctx->tctx->dom, testmember2.pw_name);
|
|
|
b2d430 |
+ nss_test_ctx->tctx->dom, testmember1.pw_name);
|
|
|
b2d430 |
assert_non_null(exp_members[1]);
|
|
|
b2d430 |
- exp_members[2] = sss_tc_fqname(tmp_ctx, nss_test_ctx->subdom->names,
|
|
|
b2d430 |
- nss_test_ctx->subdom, submember1.pw_name);
|
|
|
b2d430 |
+ exp_members[2] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names,
|
|
|
b2d430 |
+ nss_test_ctx->tctx->dom, testmember2.pw_name);
|
|
|
b2d430 |
assert_non_null(exp_members[2]);
|
|
|
b2d430 |
|
|
|
b2d430 |
expected.gr_name = sss_tc_fqname(tmp_ctx,
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.4.11
|
|
|
b2d430 |
|