dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0064-IFP-Search-both-POSIX-and-non-POSIX-domains.patch

bb7cd1
From bab9c21c9ec7ad39555db52511f0f2e425decd94 Mon Sep 17 00:00:00 2001
bb7cd1
From: Jakub Hrozek <jhrozek@redhat.com>
bb7cd1
Date: Fri, 24 Mar 2017 12:44:09 +0100
bb7cd1
Subject: [PATCH 64/72] IFP: Search both POSIX and non-POSIX domains
bb7cd1
MIME-Version: 1.0
bb7cd1
Content-Type: text/plain; charset=UTF-8
bb7cd1
Content-Transfer-Encoding: 8bit
bb7cd1
bb7cd1
Related to:
bb7cd1
https://pagure.io/SSSD/sssd/issue/3310
bb7cd1
bb7cd1
Changes the behaviour of the InfoPipe responder so that both application
bb7cd1
and POSIX domains are searched. In general, the IFP responder uses the
bb7cd1
CACHE_REQ_ANY_DOM lookup type because we can't presume the intention of
bb7cd1
the caller. Therefore, deployments that combine both POSIX and non-POSIX
bb7cd1
domains must use fully qualified names or select the right domain order
bb7cd1
manually.
bb7cd1
bb7cd1
There is one change between the POSIX and non-POSIX users or groups -
bb7cd1
the object path. For the POSIX users, the object path includes the UID
bb7cd1
or GID. Because we don't have that for the non-POSIX objects, the object
bb7cd1
name is used in the path instead.
bb7cd1
bb7cd1
Reviewed-by: Sumit Bose <sbose@redhat.com>
bb7cd1
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
bb7cd1
---
bb7cd1
 src/responder/ifp/ifp_groups.c | 135 ++++++++++++++++++++++-------------
bb7cd1
 src/responder/ifp/ifp_users.c  | 158 ++++++++++++++++++++++++++---------------
bb7cd1
 src/responder/ifp/ifpsrv_cmd.c |   6 +-
bb7cd1
 3 files changed, 194 insertions(+), 105 deletions(-)
bb7cd1
bb7cd1
diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c
bb7cd1
index 99908e96bd971bce4b4e9064a77d8413f837d743..c568c62009cd4b777919dea048fd381a91bd3460 100644
bb7cd1
--- a/src/responder/ifp/ifp_groups.c
bb7cd1
+++ b/src/responder/ifp/ifp_groups.c
bb7cd1
@@ -35,25 +35,33 @@ char * ifp_groups_build_path_from_msg(TALLOC_CTX *mem_ctx,
bb7cd1
                                       struct sss_domain_info *domain,
bb7cd1
                                       struct ldb_message *msg)
bb7cd1
 {
bb7cd1
-    const char *gid;
bb7cd1
+    const char *key = NULL;
bb7cd1
 
bb7cd1
-    gid = ldb_msg_find_attr_as_string(msg, SYSDB_GIDNUM, NULL);
bb7cd1
+    switch (domain->type) {
bb7cd1
+    case DOM_TYPE_APPLICATION:
bb7cd1
+        key = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
bb7cd1
+        break;
bb7cd1
+    case DOM_TYPE_POSIX:
bb7cd1
+        key = ldb_msg_find_attr_as_string(msg, SYSDB_GIDNUM, NULL);
bb7cd1
+        break;
bb7cd1
+    }
bb7cd1
 
bb7cd1
-    if (gid == NULL) {
bb7cd1
+
bb7cd1
+    if (key == NULL) {
bb7cd1
         return NULL;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    return sbus_opath_compose(mem_ctx, IFP_PATH_GROUPS, domain->name, gid);
bb7cd1
+    return sbus_opath_compose(mem_ctx, IFP_PATH_GROUPS, domain->name, key);
bb7cd1
 }
bb7cd1
 
bb7cd1
-static errno_t ifp_groups_decompose_path(struct sss_domain_info *domains,
bb7cd1
+static errno_t ifp_groups_decompose_path(TALLOC_CTX *mem_ctx,
bb7cd1
+                                         struct sss_domain_info *domains,
bb7cd1
                                          const char *path,
bb7cd1
                                          struct sss_domain_info **_domain,
bb7cd1
-                                         gid_t *_gid)
bb7cd1
+                                         char **_key)
bb7cd1
 {
bb7cd1
     char **parts = NULL;
bb7cd1
     struct sss_domain_info *domain;
bb7cd1
-    gid_t gid;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
     ret = sbus_opath_decompose_exact(NULL, path, IFP_PATH_GROUPS, 2, &parts;;
bb7cd1
@@ -67,14 +75,8 @@ static errno_t ifp_groups_decompose_path(struct sss_domain_info *domains,
bb7cd1
         goto done;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    gid = strtouint32(parts[1], NULL, 10);
bb7cd1
-    ret = errno;
bb7cd1
-    if (ret != EOK) {
bb7cd1
-        goto done;
bb7cd1
-    }
bb7cd1
-
bb7cd1
     *_domain = domain;
bb7cd1
-    *_gid = gid;
bb7cd1
+    *_key = talloc_steal(mem_ctx, parts[1]);
bb7cd1
 
bb7cd1
 done:
bb7cd1
     talloc_free(parts);
bb7cd1
@@ -119,7 +121,7 @@ int ifp_groups_find_by_name(struct sbus_request *sbus_req,
bb7cd1
 
bb7cd1
     req = cache_req_group_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx,
bb7cd1
                                        ctx->rctx->ncache, 0,
bb7cd1
-                                       CACHE_REQ_POSIX_DOM, NULL,
bb7cd1
+                                       CACHE_REQ_ANY_DOM, NULL,
bb7cd1
                                        name);
bb7cd1
     if (req == NULL) {
bb7cd1
         return ENOMEM;
bb7cd1
@@ -273,7 +275,7 @@ static int ifp_groups_list_by_name_step(struct ifp_list_ctx *list_ctx)
bb7cd1
     req = cache_req_group_by_filter_send(list_ctx,
bb7cd1
                                         list_ctx->ctx->rctx->ev,
bb7cd1
                                         list_ctx->ctx->rctx,
bb7cd1
-                                        CACHE_REQ_POSIX_DOM,
bb7cd1
+                                        CACHE_REQ_ANY_DOM,
bb7cd1
                                         list_ctx->dom->name,
bb7cd1
                                         list_ctx->filter);
bb7cd1
     if (req == NULL) {
bb7cd1
@@ -358,7 +360,7 @@ int ifp_groups_list_by_domain_and_name(struct sbus_request *sbus_req,
bb7cd1
     }
bb7cd1
 
bb7cd1
     req = cache_req_group_by_filter_send(list_ctx, ctx->rctx->ev, ctx->rctx,
bb7cd1
-                                         CACHE_REQ_POSIX_DOM,
bb7cd1
+                                         CACHE_REQ_ANY_DOM,
bb7cd1
                                          domain, filter);
bb7cd1
     if (req == NULL) {
bb7cd1
         return ENOMEM;
bb7cd1
@@ -412,16 +414,65 @@ done:
bb7cd1
 }
bb7cd1
 
bb7cd1
 static errno_t
bb7cd1
+ifp_groups_get_from_cache(struct sbus_request *sbus_req,
bb7cd1
+                         struct sss_domain_info *domain,
bb7cd1
+                         const char *key,
bb7cd1
+                         struct ldb_message **_group)
bb7cd1
+{
bb7cd1
+    struct ldb_result *group_res;
bb7cd1
+    errno_t ret;
bb7cd1
+    gid_t gid;
bb7cd1
+
bb7cd1
+    switch (domain->type) {
bb7cd1
+    case DOM_TYPE_POSIX:
bb7cd1
+        gid = strtouint32(key, NULL, 10);
bb7cd1
+        ret = errno;
bb7cd1
+        if (ret != EOK) {
bb7cd1
+            DEBUG(SSSDBG_CRIT_FAILURE, "Invalid UID value\n");
bb7cd1
+            return ret;
bb7cd1
+        }
bb7cd1
+
bb7cd1
+        ret = sysdb_getgrgid_with_views(sbus_req, domain, gid, &group_res);
bb7cd1
+        if (ret == EOK && group_res->count == 0) {
bb7cd1
+            *_group = NULL;
bb7cd1
+            return ENOENT;
bb7cd1
+        } else if (ret != EOK) {
bb7cd1
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup group %u@%s [%d]: %s\n",
bb7cd1
+                  gid, domain->name, ret, sss_strerror(ret));
bb7cd1
+            return ret;
bb7cd1
+        }
bb7cd1
+        break;
bb7cd1
+    case DOM_TYPE_APPLICATION:
bb7cd1
+        ret = sysdb_getgrnam_with_views(sbus_req, domain, key, &group_res);
bb7cd1
+        if (ret == EOK && group_res->count == 0) {
bb7cd1
+            *_group = NULL;
bb7cd1
+            return ENOENT;
bb7cd1
+        } else if (ret != EOK) {
bb7cd1
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup group %s@%s [%d]: %s\n",
bb7cd1
+                  key, domain->name, ret, sss_strerror(ret));
bb7cd1
+            return ret;
bb7cd1
+        }
bb7cd1
+        break;
bb7cd1
+    }
bb7cd1
+
bb7cd1
+    if (group_res->count > 1) {
bb7cd1
+        DEBUG(SSSDBG_CRIT_FAILURE, "More groups matched by the single key\n");
bb7cd1
+        return EIO;
bb7cd1
+    }
bb7cd1
+
bb7cd1
+    *_group = group_res->msgs[0];
bb7cd1
+    return EOK;
bb7cd1
+}
bb7cd1
+
bb7cd1
+static errno_t
bb7cd1
 ifp_groups_group_get(struct sbus_request *sbus_req,
bb7cd1
                      void *data,
bb7cd1
-                     gid_t *_gid,
bb7cd1
                      struct sss_domain_info **_domain,
bb7cd1
                      struct ldb_message **_group)
bb7cd1
 {
bb7cd1
     struct ifp_ctx *ctx;
bb7cd1
     struct sss_domain_info *domain;
bb7cd1
-    struct ldb_result *res;
bb7cd1
-    uid_t gid;
bb7cd1
+    char *key;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
     ctx = talloc_get_type(data, struct ifp_ctx);
bb7cd1
@@ -430,8 +481,9 @@ ifp_groups_group_get(struct sbus_request *sbus_req,
bb7cd1
         return ERR_INTERNAL;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_groups_decompose_path(ctx->rctx->domains, sbus_req->path,
bb7cd1
-                                    &domain, &gid;;
bb7cd1
+    ret = ifp_groups_decompose_path(sbus_req,
bb7cd1
+                                    ctx->rctx->domains, sbus_req->path,
bb7cd1
+                                    &domain, &key);
bb7cd1
     if (ret != EOK) {
bb7cd1
         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to decompose object path"
bb7cd1
               "[%s] [%d]: %s\n", sbus_req->path, ret, sss_strerror(ret));
bb7cd1
@@ -439,28 +491,15 @@ ifp_groups_group_get(struct sbus_request *sbus_req,
bb7cd1
     }
bb7cd1
 
bb7cd1
     if (_group != NULL) {
bb7cd1
-        ret = sysdb_getgrgid_with_views(sbus_req, domain, gid, &res;;
bb7cd1
-        if (ret == EOK && res->count == 0) {
bb7cd1
-            *_group = NULL;
bb7cd1
-            ret = ENOENT;
bb7cd1
-        }
bb7cd1
-
bb7cd1
-        if (ret != EOK) {
bb7cd1
-            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup group %u@%s [%d]: %s\n",
bb7cd1
-                  gid, domain->name, ret, sss_strerror(ret));
bb7cd1
-        } else {
bb7cd1
-            *_group = res->msgs[0];
bb7cd1
-        }
bb7cd1
+        ret = ifp_groups_get_from_cache(sbus_req, domain, key, _group);
bb7cd1
     }
bb7cd1
 
bb7cd1
     if (ret == EOK || ret == ENOENT) {
bb7cd1
-        if (_gid != NULL) {
bb7cd1
-            *_gid = gid;
bb7cd1
-        }
bb7cd1
-
bb7cd1
         if (_domain != NULL) {
bb7cd1
             *_domain = domain;
bb7cd1
         }
bb7cd1
+    } else if (ret != EOK) {
bb7cd1
+        DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve group from cache\n");
bb7cd1
     }
bb7cd1
 
bb7cd1
     return ret;
bb7cd1
@@ -513,7 +552,7 @@ static struct tevent_req *resolv_ghosts_send(TALLOC_CTX *mem_ctx,
bb7cd1
     state->ctx = ctx;
bb7cd1
     state->data = data;
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &group);
bb7cd1
+    ret = ifp_groups_group_get(sbus_req, data, &domain, &group);
bb7cd1
     if (ret != EOK) {
bb7cd1
         goto immediately;
bb7cd1
     }
bb7cd1
@@ -527,7 +566,7 @@ static struct tevent_req *resolv_ghosts_send(TALLOC_CTX *mem_ctx,
bb7cd1
 
bb7cd1
     subreq = cache_req_group_by_name_send(state, ev, ctx->rctx,
bb7cd1
                                           ctx->rctx->ncache, 0,
bb7cd1
-                                          CACHE_REQ_POSIX_DOM,
bb7cd1
+                                          CACHE_REQ_ANY_DOM,
bb7cd1
                                           domain->name,
bb7cd1
                                           name);
bb7cd1
     if (subreq == NULL) {
bb7cd1
@@ -561,7 +600,7 @@ static void resolv_ghosts_group_done(struct tevent_req *subreq)
bb7cd1
     req = tevent_req_callback_data(subreq, struct tevent_req);
bb7cd1
     state = tevent_req_data(req, struct resolv_ghosts_state);
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(state->sbus_req, state->data, NULL,
bb7cd1
+    ret = ifp_groups_group_get(state->sbus_req, state->data,
bb7cd1
                                &state->domain, &group);
bb7cd1
     if (ret != EOK) {
bb7cd1
         goto done;
bb7cd1
@@ -608,7 +647,7 @@ errno_t resolv_ghosts_step(struct tevent_req *req)
bb7cd1
 
bb7cd1
     subreq = cache_req_user_by_name_send(state, state->ev, state->ctx->rctx,
bb7cd1
                                          state->ctx->rctx->ncache, 0,
bb7cd1
-                                         CACHE_REQ_POSIX_DOM,
bb7cd1
+                                         CACHE_REQ_ANY_DOM,
bb7cd1
                                          state->domain->name,
bb7cd1
                                          state->ghosts[state->index]);
bb7cd1
     if (subreq == NULL) {
bb7cd1
@@ -719,7 +758,7 @@ void ifp_groups_group_get_name(struct sbus_request *sbus_req,
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &msg;;
bb7cd1
+    ret = ifp_groups_group_get(sbus_req, data, &domain, &msg;;
bb7cd1
     if (ret != EOK) {
bb7cd1
         *_out = NULL;
bb7cd1
         return;
bb7cd1
@@ -744,7 +783,7 @@ void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req,
bb7cd1
     struct sss_domain_info *domain;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &msg;;
bb7cd1
+    ret = ifp_groups_group_get(sbus_req, data, &domain, &msg;;
bb7cd1
     if (ret != EOK) {
bb7cd1
         *_out = 0;
bb7cd1
         return;
bb7cd1
@@ -763,7 +802,7 @@ void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req,
bb7cd1
     struct sss_domain_info *domain;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &msg;;
bb7cd1
+    ret = ifp_groups_group_get(sbus_req, data, &domain, &msg;;
bb7cd1
     if (ret != EOK) {
bb7cd1
         *_out = 0;
bb7cd1
         return;
bb7cd1
@@ -803,7 +842,7 @@ ifp_groups_group_get_members(TALLOC_CTX *mem_ctx,
bb7cd1
         return ENOMEM;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &group);
bb7cd1
+    ret = ifp_groups_group_get(sbus_req, data, &domain, &group);
bb7cd1
     if (ret != EOK) {
bb7cd1
         goto done;
bb7cd1
     }
bb7cd1
@@ -954,7 +993,7 @@ int ifp_cache_object_store_group(struct sbus_request *sbus_req,
bb7cd1
     struct ldb_message *group;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &group);
bb7cd1
+    ret = ifp_groups_group_get(sbus_req, data, &domain, &group);
bb7cd1
     if (ret != EOK) {
bb7cd1
         error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch "
bb7cd1
                                "group [%d]: %s\n", ret, sss_strerror(ret));
bb7cd1
@@ -973,7 +1012,7 @@ int ifp_cache_object_remove_group(struct sbus_request *sbus_req,
bb7cd1
     struct ldb_message *group;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
-    ret = ifp_groups_group_get(sbus_req, data, NULL, &domain, &group);
bb7cd1
+    ret = ifp_groups_group_get(sbus_req, data, &domain, &group);
bb7cd1
     if (ret != EOK) {
bb7cd1
         error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch "
bb7cd1
                                "group [%d]: %s\n", ret, sss_strerror(ret));
bb7cd1
diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c
bb7cd1
index 436bb268fa9c78d72fb744e0d338aa561a7d8764..ce9557f94351b730ee46f3cbce31613cb5901942 100644
bb7cd1
--- a/src/responder/ifp/ifp_users.c
bb7cd1
+++ b/src/responder/ifp/ifp_users.c
bb7cd1
@@ -37,25 +37,33 @@ char * ifp_users_build_path_from_msg(TALLOC_CTX *mem_ctx,
bb7cd1
                                      struct sss_domain_info *domain,
bb7cd1
                                      struct ldb_message *msg)
bb7cd1
 {
bb7cd1
-    const char *uid;
bb7cd1
+    const char *key = NULL;
bb7cd1
 
bb7cd1
-    uid = ldb_msg_find_attr_as_string(msg, SYSDB_UIDNUM, NULL);
bb7cd1
+    switch (domain->type) {
bb7cd1
+    case DOM_TYPE_APPLICATION:
bb7cd1
+        key = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
bb7cd1
+        break;
bb7cd1
+    case DOM_TYPE_POSIX:
bb7cd1
+        key = ldb_msg_find_attr_as_string(msg, SYSDB_UIDNUM, NULL);
bb7cd1
+        break;
bb7cd1
+    }
bb7cd1
 
bb7cd1
-    if (uid == NULL) {
bb7cd1
+
bb7cd1
+    if (key == NULL) {
bb7cd1
         return NULL;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    return sbus_opath_compose(mem_ctx, IFP_PATH_USERS, domain->name, uid);
bb7cd1
+    return sbus_opath_compose(mem_ctx, IFP_PATH_USERS, domain->name, key);
bb7cd1
 }
bb7cd1
 
bb7cd1
-static errno_t ifp_users_decompose_path(struct sss_domain_info *domains,
bb7cd1
+static errno_t ifp_users_decompose_path(TALLOC_CTX *mem_ctx,
bb7cd1
+                                        struct sss_domain_info *domains,
bb7cd1
                                         const char *path,
bb7cd1
                                         struct sss_domain_info **_domain,
bb7cd1
-                                        uid_t *_uid)
bb7cd1
+                                        char **_key)
bb7cd1
 {
bb7cd1
     char **parts = NULL;
bb7cd1
     struct sss_domain_info *domain;
bb7cd1
-    uid_t uid;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
     ret = sbus_opath_decompose_exact(NULL, path, IFP_PATH_USERS, 2, &parts;;
bb7cd1
@@ -69,14 +77,8 @@ static errno_t ifp_users_decompose_path(struct sss_domain_info *domains,
bb7cd1
         goto done;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    uid = strtouint32(parts[1], NULL, 10);
bb7cd1
-    ret = errno;
bb7cd1
-    if (ret != EOK) {
bb7cd1
-        goto done;
bb7cd1
-    }
bb7cd1
-
bb7cd1
     *_domain = domain;
bb7cd1
-    *_uid = uid;
bb7cd1
+    *_key = talloc_steal(mem_ctx, parts[1]);
bb7cd1
 
bb7cd1
 done:
bb7cd1
     talloc_free(parts);
bb7cd1
@@ -100,7 +102,7 @@ int ifp_users_find_by_name(struct sbus_request *sbus_req,
bb7cd1
 
bb7cd1
     req = cache_req_user_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx,
bb7cd1
                                       ctx->rctx->ncache, 0,
bb7cd1
-                                      CACHE_REQ_POSIX_DOM,
bb7cd1
+                                      CACHE_REQ_ANY_DOM,
bb7cd1
                                       NULL, name);
bb7cd1
     if (req == NULL) {
bb7cd1
         return ENOMEM;
bb7cd1
@@ -256,7 +258,7 @@ int ifp_users_find_by_cert(struct sbus_request *sbus_req, void *data,
bb7cd1
 
bb7cd1
     req = cache_req_user_by_cert_send(sbus_req, ctx->rctx->ev, ctx->rctx,
bb7cd1
                                       ctx->rctx->ncache, 0,
bb7cd1
-                                      CACHE_REQ_POSIX_DOM, NULL,
bb7cd1
+                                      CACHE_REQ_ANY_DOM, NULL,
bb7cd1
                                       derb64);
bb7cd1
     if (req == NULL) {
bb7cd1
         return ENOMEM;
bb7cd1
@@ -371,7 +373,7 @@ static int ifp_users_list_by_cert_step(struct ifp_list_ctx *list_ctx)
bb7cd1
                                       list_ctx->ctx->rctx,
bb7cd1
                                       list_ctx->ctx->rctx->ncache,
bb7cd1
                                       0,
bb7cd1
-                                      CACHE_REQ_POSIX_DOM,
bb7cd1
+                                      CACHE_REQ_ANY_DOM,
bb7cd1
                                       list_ctx->dom->name,
bb7cd1
                                       list_ctx->filter);
bb7cd1
     if (req == NULL) {
bb7cd1
@@ -538,7 +540,7 @@ int ifp_users_find_by_name_and_cert(struct sbus_request *sbus_req, void *data,
bb7cd1
     if (name_and_cert_ctx->name != NULL) {
bb7cd1
         req = cache_req_user_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx,
bb7cd1
                                           ctx->rctx->ncache, 0,
bb7cd1
-                                          CACHE_REQ_POSIX_DOM,
bb7cd1
+                                          CACHE_REQ_ANY_DOM,
bb7cd1
                                           NULL,
bb7cd1
                                           name_and_cert_ctx->name);
bb7cd1
         if (req == NULL) {
bb7cd1
@@ -621,7 +623,7 @@ static int ifp_users_find_by_name_and_cert_step(
bb7cd1
                                       list_ctx->ctx->rctx,
bb7cd1
                                       list_ctx->ctx->rctx->ncache,
bb7cd1
                                       0,
bb7cd1
-                                      CACHE_REQ_POSIX_DOM,
bb7cd1
+                                      CACHE_REQ_ANY_DOM,
bb7cd1
                                       list_ctx->dom->name,
bb7cd1
                                       list_ctx->filter);
bb7cd1
     if (req == NULL) {
bb7cd1
@@ -782,7 +784,7 @@ static int ifp_users_list_by_name_step(struct ifp_list_ctx *list_ctx)
bb7cd1
     req = cache_req_user_by_filter_send(list_ctx,
bb7cd1
                                         list_ctx->ctx->rctx->ev,
bb7cd1
                                         list_ctx->ctx->rctx,
bb7cd1
-                                        CACHE_REQ_POSIX_DOM,
bb7cd1
+                                        CACHE_REQ_ANY_DOM,
bb7cd1
                                         list_ctx->dom->name,
bb7cd1
                                         list_ctx->filter);
bb7cd1
     if (req == NULL) {
bb7cd1
@@ -867,7 +869,7 @@ int ifp_users_list_by_domain_and_name(struct sbus_request *sbus_req,
bb7cd1
     }
bb7cd1
 
bb7cd1
     req = cache_req_user_by_filter_send(list_ctx, ctx->rctx->ev, ctx->rctx,
bb7cd1
-                                        CACHE_REQ_POSIX_DOM,
bb7cd1
+                                        CACHE_REQ_ANY_DOM,
bb7cd1
                                         domain, filter);
bb7cd1
     if (req == NULL) {
bb7cd1
         return ENOMEM;
bb7cd1
@@ -930,19 +932,69 @@ done:
bb7cd1
 }
bb7cd1
 
bb7cd1
 static errno_t
bb7cd1
+ifp_users_get_from_cache(struct sbus_request *sbus_req,
bb7cd1
+                         struct sss_domain_info *domain,
bb7cd1
+                         const char *key,
bb7cd1
+                         struct ldb_message **_user)
bb7cd1
+{
bb7cd1
+    struct ldb_result *user_res;
bb7cd1
+    errno_t ret;
bb7cd1
+    uid_t uid;
bb7cd1
+
bb7cd1
+    switch (domain->type) {
bb7cd1
+    case DOM_TYPE_POSIX:
bb7cd1
+        uid = strtouint32(key, NULL, 10);
bb7cd1
+        ret = errno;
bb7cd1
+        if (ret != EOK) {
bb7cd1
+            DEBUG(SSSDBG_CRIT_FAILURE, "Invalid UID value\n");
bb7cd1
+            return ret;
bb7cd1
+        }
bb7cd1
+
bb7cd1
+        ret = sysdb_getpwuid_with_views(sbus_req, domain, uid, &user_res);
bb7cd1
+        if (ret == EOK && user_res->count == 0) {
bb7cd1
+            *_user = NULL;
bb7cd1
+            return ENOENT;
bb7cd1
+        } else if (ret != EOK) {
bb7cd1
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user %u@%s [%d]: %s\n",
bb7cd1
+                  uid, domain->name, ret, sss_strerror(ret));
bb7cd1
+            return ret;
bb7cd1
+        }
bb7cd1
+        break;
bb7cd1
+    case DOM_TYPE_APPLICATION:
bb7cd1
+        ret = sysdb_getpwnam_with_views(sbus_req, domain, key, &user_res);
bb7cd1
+        if (ret == EOK && user_res->count == 0) {
bb7cd1
+            *_user = NULL;
bb7cd1
+            return ENOENT;
bb7cd1
+        } else if (ret != EOK) {
bb7cd1
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user %s@%s [%d]: %s\n",
bb7cd1
+                  key, domain->name, ret, sss_strerror(ret));
bb7cd1
+            return ret;
bb7cd1
+        }
bb7cd1
+        break;
bb7cd1
+    }
bb7cd1
+
bb7cd1
+    if (user_res->count > 1) {
bb7cd1
+        DEBUG(SSSDBG_CRIT_FAILURE, "More users matched by the single key\n");
bb7cd1
+        return EIO;
bb7cd1
+    }
bb7cd1
+
bb7cd1
+    *_user = user_res->msgs[0];
bb7cd1
+    return EOK;
bb7cd1
+}
bb7cd1
+
bb7cd1
+static errno_t
bb7cd1
 ifp_users_user_get(struct sbus_request *sbus_req,
bb7cd1
                    struct ifp_ctx *ifp_ctx,
bb7cd1
-                   uid_t *_uid,
bb7cd1
                    struct sss_domain_info **_domain,
bb7cd1
                    struct ldb_message **_user)
bb7cd1
 {
bb7cd1
     struct sss_domain_info *domain;
bb7cd1
-    struct ldb_result *res;
bb7cd1
-    uid_t uid;
bb7cd1
+    char *key;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
-    ret = ifp_users_decompose_path(ifp_ctx->rctx->domains, sbus_req->path,
bb7cd1
-                                   &domain, &uid);
bb7cd1
+    ret = ifp_users_decompose_path(sbus_req,
bb7cd1
+                                   ifp_ctx->rctx->domains, sbus_req->path,
bb7cd1
+                                   &domain, &key);
bb7cd1
     if (ret != EOK) {
bb7cd1
         DEBUG(SSSDBG_CRIT_FAILURE, "Unable to decompose object path"
bb7cd1
               "[%s] [%d]: %s\n", sbus_req->path, ret, sss_strerror(ret));
bb7cd1
@@ -950,28 +1002,15 @@ ifp_users_user_get(struct sbus_request *sbus_req,
bb7cd1
     }
bb7cd1
 
bb7cd1
     if (_user != NULL) {
bb7cd1
-        ret = sysdb_getpwuid_with_views(sbus_req, domain, uid, &res;;
bb7cd1
-        if (ret == EOK && res->count == 0) {
bb7cd1
-            *_user = NULL;
bb7cd1
-            ret = ENOENT;
bb7cd1
-        }
bb7cd1
-
bb7cd1
-        if (ret != EOK) {
bb7cd1
-            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user %u@%s [%d]: %s\n",
bb7cd1
-                  uid, domain->name, ret, sss_strerror(ret));
bb7cd1
-        } else {
bb7cd1
-            *_user = res->msgs[0];
bb7cd1
-        }
bb7cd1
+        ret = ifp_users_get_from_cache(sbus_req, domain, key, _user);
bb7cd1
     }
bb7cd1
 
bb7cd1
     if (ret == EOK || ret == ENOENT) {
bb7cd1
-        if (_uid != NULL) {
bb7cd1
-            *_uid = uid;
bb7cd1
-        }
bb7cd1
-
bb7cd1
         if (_domain != NULL) {
bb7cd1
             *_domain = domain;
bb7cd1
         }
bb7cd1
+    } else if (ret != EOK) {
bb7cd1
+        DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve user from cache\n");
bb7cd1
     }
bb7cd1
 
bb7cd1
     return ret;
bb7cd1
@@ -1000,7 +1039,7 @@ static void ifp_users_get_as_string(struct sbus_request *sbus_req,
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, ifp_ctx, NULL, &domain, &msg;;
bb7cd1
+    ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &msg;;
bb7cd1
     if (ret != EOK) {
bb7cd1
         return;
bb7cd1
     }
bb7cd1
@@ -1034,7 +1073,7 @@ static void ifp_users_get_name(struct sbus_request *sbus_req,
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, ifp_ctx, NULL, &domain, &msg;;
bb7cd1
+    ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &msg;;
bb7cd1
     if (ret != EOK) {
bb7cd1
         return;
bb7cd1
     }
bb7cd1
@@ -1072,7 +1111,7 @@ static void ifp_users_get_as_uint32(struct sbus_request *sbus_req,
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, ifp_ctx, NULL, &domain, &msg;;
bb7cd1
+    ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &msg;;
bb7cd1
     if (ret != EOK) {
bb7cd1
         return;
bb7cd1
     }
bb7cd1
@@ -1100,7 +1139,7 @@ int ifp_users_user_update_groups_list(struct sbus_request *sbus_req,
bb7cd1
         return ERR_INTERNAL;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, data, NULL, &domain, &user);
bb7cd1
+    ret = ifp_users_user_get(sbus_req, data, &domain, &user);
bb7cd1
     if (ret != EOK) {
bb7cd1
         return ret;
bb7cd1
     }
bb7cd1
@@ -1113,7 +1152,7 @@ int ifp_users_user_update_groups_list(struct sbus_request *sbus_req,
bb7cd1
 
bb7cd1
     req = cache_req_initgr_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx,
bb7cd1
                                         ctx->rctx->ncache, 0,
bb7cd1
-                                        CACHE_REQ_POSIX_DOM, domain->name,
bb7cd1
+                                        CACHE_REQ_ANY_DOM, domain->name,
bb7cd1
                                         username);
bb7cd1
     if (req == NULL) {
bb7cd1
         return ENOMEM;
bb7cd1
@@ -1235,7 +1274,7 @@ void ifp_users_user_get_groups(struct sbus_request *sbus_req,
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, ifp_ctx, NULL, &domain, &user);
bb7cd1
+    ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &user);
bb7cd1
     if (ret != EOK) {
bb7cd1
         return;
bb7cd1
     }
bb7cd1
@@ -1268,7 +1307,7 @@ void ifp_users_user_get_groups(struct sbus_request *sbus_req,
bb7cd1
     for (i = 0; i < res->count; i++) {
bb7cd1
         gid = sss_view_ldb_msg_find_attr_as_uint64(domain, res->msgs[i],
bb7cd1
                                                    SYSDB_GIDNUM, 0);
bb7cd1
-        if (gid == 0) {
bb7cd1
+        if (gid == 0 && domain->type == DOM_TYPE_POSIX) {
bb7cd1
             continue;
bb7cd1
         }
bb7cd1
 
bb7cd1
@@ -1293,11 +1332,12 @@ void ifp_users_user_get_extra_attributes(struct sbus_request *sbus_req,
bb7cd1
 {
bb7cd1
     struct ifp_ctx *ifp_ctx;
bb7cd1
     struct sss_domain_info *domain;
bb7cd1
+    struct ldb_message *base_user;
bb7cd1
+    const char *name;
bb7cd1
     struct ldb_message **user;
bb7cd1
     struct ldb_message_element *el;
bb7cd1
     struct ldb_dn *basedn;
bb7cd1
     size_t count;
bb7cd1
-    uid_t uid;
bb7cd1
     const char *filter;
bb7cd1
     const char **extra;
bb7cd1
     hash_table_t *table;
bb7cd1
@@ -1322,7 +1362,7 @@ void ifp_users_user_get_extra_attributes(struct sbus_request *sbus_req,
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, data, &uid, &domain, NULL);
bb7cd1
+    ret = ifp_users_user_get(sbus_req, data, &domain, &base_user);
bb7cd1
     if (ret != EOK) {
bb7cd1
         return;
bb7cd1
     }
bb7cd1
@@ -1333,9 +1373,15 @@ void ifp_users_user_get_extra_attributes(struct sbus_request *sbus_req,
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
-    filter = talloc_asprintf(sbus_req, "(&(%s=%s)(%s=%u))",
bb7cd1
+    name = ldb_msg_find_attr_as_string(base_user, SYSDB_NAME, NULL);
bb7cd1
+    if (name == NULL) {
bb7cd1
+        DEBUG(SSSDBG_CRIT_FAILURE, "A user with no name\n");
bb7cd1
+        return;
bb7cd1
+    }
bb7cd1
+
bb7cd1
+    filter = talloc_asprintf(sbus_req, "(&(%s=%s)(%s=%s))",
bb7cd1
                              SYSDB_OBJECTCLASS, SYSDB_USER_CLASS,
bb7cd1
-                             SYSDB_UIDNUM, uid);
bb7cd1
+                             SYSDB_NAME, name);
bb7cd1
     if (filter == NULL) {
bb7cd1
         DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n");
bb7cd1
         return;
bb7cd1
@@ -1351,7 +1397,7 @@ void ifp_users_user_get_extra_attributes(struct sbus_request *sbus_req,
bb7cd1
     }
bb7cd1
 
bb7cd1
     if (count == 0) {
bb7cd1
-        DEBUG(SSSDBG_TRACE_FUNC, "User %u not found!\n", uid);
bb7cd1
+        DEBUG(SSSDBG_TRACE_FUNC, "User %s not found!\n", name);
bb7cd1
         return;
bb7cd1
     } else if (count > 1) {
bb7cd1
         DEBUG(SSSDBG_CRIT_FAILURE, "More than one entry found!\n");
bb7cd1
@@ -1421,7 +1467,7 @@ int ifp_cache_object_store_user(struct sbus_request *sbus_req,
bb7cd1
     struct ldb_message *user;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, data, NULL, &domain, &user);
bb7cd1
+    ret = ifp_users_user_get(sbus_req, data, &domain, &user);
bb7cd1
     if (ret != EOK) {
bb7cd1
         error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch "
bb7cd1
                                "user [%d]: %s\n", ret, sss_strerror(ret));
bb7cd1
@@ -1440,7 +1486,7 @@ int ifp_cache_object_remove_user(struct sbus_request *sbus_req,
bb7cd1
     struct ldb_message *user;
bb7cd1
     errno_t ret;
bb7cd1
 
bb7cd1
-    ret = ifp_users_user_get(sbus_req, data, NULL, &domain, &user);
bb7cd1
+    ret = ifp_users_user_get(sbus_req, data, &domain, &user);
bb7cd1
     if (ret != EOK) {
bb7cd1
         error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch "
bb7cd1
                                "user [%d]: %s\n", ret, sss_strerror(ret));
bb7cd1
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c
bb7cd1
index 118b5083b14bf5692c6fdd7ba90668fe514aa89d..d10f35e41dbb1623a0b9de37a4c43363cbefc1a3 100644
bb7cd1
--- a/src/responder/ifp/ifpsrv_cmd.c
bb7cd1
+++ b/src/responder/ifp/ifpsrv_cmd.c
bb7cd1
@@ -508,8 +508,12 @@ ifp_user_get_attr_lookup(struct tevent_req *subreq)
bb7cd1
         return;
bb7cd1
     }
bb7cd1
 
bb7cd1
+    /* IFP serves both POSIX and application domains. Requests that need
bb7cd1
+     * to differentiate between the two must be qualified
bb7cd1
+     */
bb7cd1
     subreq = cache_req_send(state, state->rctx->ev, state->rctx,
bb7cd1
-                            state->ncache, 0, CACHE_REQ_POSIX_DOM,
bb7cd1
+                            state->ncache, 0,
bb7cd1
+                            CACHE_REQ_ANY_DOM,
bb7cd1
                             state->domname, data);
bb7cd1
     if (subreq == NULL) {
bb7cd1
         tevent_req_error(req, ENOMEM);
bb7cd1
-- 
bb7cd1
2.9.3
bb7cd1