|
|
9f2ebf |
From 53c6201539d24f8b929120565ca661977ecbb1a4 Mon Sep 17 00:00:00 2001
|
|
|
9f2ebf |
From: Sumit Bose <sbose@redhat.com>
|
|
|
9f2ebf |
Date: Mon, 20 Nov 2017 16:12:58 +0100
|
|
|
9f2ebf |
Subject: [PATCH 65/67] ipa: check for SYSDB_OVERRIDE_DN in process_members and
|
|
|
9f2ebf |
get_group_dn_list
|
|
|
9f2ebf |
MIME-Version: 1.0
|
|
|
9f2ebf |
Content-Type: text/plain; charset=UTF-8
|
|
|
9f2ebf |
Content-Transfer-Encoding: 8bit
|
|
|
9f2ebf |
|
|
|
9f2ebf |
process_members() and get_group_dn_list() are used on an IPA client to
|
|
|
9f2ebf |
determine a list of users or groups which are missing in the cache and
|
|
|
9f2ebf |
are needed to properly add a group or user object to the cache
|
|
|
9f2ebf |
respectively.
|
|
|
9f2ebf |
|
|
|
9f2ebf |
If a non-default view is assigned to the client the SYSDB_OVERRIDE_DN
|
|
|
9f2ebf |
must be set for all user and group objects to indicate that it was
|
|
|
9f2ebf |
already checked if there is an id-override defined for the object or
|
|
|
9f2ebf |
not. There a circumstances were SYSDB_OVERRIDE_DN is not set, e.g. after
|
|
|
9f2ebf |
a view name change. To make sure the cache is in a consistent state with
|
|
|
9f2ebf |
this patch user and group entries without SYSDB_OVERRIDE_DN are
|
|
|
9f2ebf |
considered as missing is a non-default view is assigned to the client.
|
|
|
9f2ebf |
|
|
|
9f2ebf |
Related to https://pagure.io/SSSD/sssd/issue/3579
|
|
|
9f2ebf |
|
|
|
9f2ebf |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
9f2ebf |
(cherry picked from commit 919b5d76057d31877e0c25ca495711ff76c713d6)
|
|
|
9f2ebf |
---
|
|
|
9f2ebf |
src/providers/ipa/ipa_s2n_exop.c | 145 ++++++++++++++++++++++-----------------
|
|
|
9f2ebf |
1 file changed, 83 insertions(+), 62 deletions(-)
|
|
|
9f2ebf |
|
|
|
9f2ebf |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
9f2ebf |
index 39ed17cbf0e8c523212084197e9f2963fed88dc8..c6132f509dcc8e7af84e03e8bfe20701107d1392 100644
|
|
|
9f2ebf |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
9f2ebf |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
9f2ebf |
@@ -1523,6 +1523,7 @@ fail:
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
|
|
|
9f2ebf |
static errno_t process_members(struct sss_domain_info *domain,
|
|
|
9f2ebf |
+ bool is_default_view,
|
|
|
9f2ebf |
struct sysdb_attrs *group_attrs,
|
|
|
9f2ebf |
char **members,
|
|
|
9f2ebf |
TALLOC_CTX *mem_ctx, char ***_missing_members)
|
|
|
9f2ebf |
@@ -1536,6 +1537,7 @@ static errno_t process_members(struct sss_domain_info *domain,
|
|
|
9f2ebf |
struct sss_domain_info *parent_domain;
|
|
|
9f2ebf |
char **missing_members = NULL;
|
|
|
9f2ebf |
size_t miss_count = 0;
|
|
|
9f2ebf |
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
|
|
|
9f2ebf |
|
|
|
9f2ebf |
if (members == NULL) {
|
|
|
9f2ebf |
DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n");
|
|
|
9f2ebf |
@@ -1572,53 +1574,59 @@ static errno_t process_members(struct sss_domain_info *domain,
|
|
|
9f2ebf |
goto done;
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
|
|
|
9f2ebf |
- ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], NULL,
|
|
|
9f2ebf |
+ ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs,
|
|
|
9f2ebf |
&msg;;
|
|
|
9f2ebf |
- if (ret == EOK) {
|
|
|
9f2ebf |
- if (group_attrs != NULL) {
|
|
|
9f2ebf |
- dn_str = ldb_dn_get_linearized(msg->dn);
|
|
|
9f2ebf |
- if (dn_str == NULL) {
|
|
|
9f2ebf |
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
|
|
|
9f2ebf |
- ret = EINVAL;
|
|
|
9f2ebf |
- goto done;
|
|
|
9f2ebf |
- }
|
|
|
9f2ebf |
-
|
|
|
9f2ebf |
- DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
|
|
|
9f2ebf |
- members[c], dn_str);
|
|
|
9f2ebf |
+ if (ret == EOK || ret == ENOENT) {
|
|
|
9f2ebf |
+ if (ret == ENOENT
|
|
|
9f2ebf |
+ || (!is_default_view
|
|
|
9f2ebf |
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
|
|
|
9f2ebf |
+ NULL) == NULL)) {
|
|
|
9f2ebf |
+ /* only add ghost if the member is really missing */
|
|
|
9f2ebf |
+ if (group_attrs != NULL && ret == ENOENT) {
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
|
|
|
9f2ebf |
+ members[c]);
|
|
|
9f2ebf |
|
|
|
9f2ebf |
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
|
|
|
9f2ebf |
- dn_str);
|
|
|
9f2ebf |
- if (ret != EOK) {
|
|
|
9f2ebf |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
9f2ebf |
- "sysdb_attrs_add_string_safe failed.\n");
|
|
|
9f2ebf |
- goto done;
|
|
|
9f2ebf |
+ /* There were cases where the server returned the same user
|
|
|
9f2ebf |
+ * multiple times */
|
|
|
9f2ebf |
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
|
|
|
9f2ebf |
+ members[c]);
|
|
|
9f2ebf |
+ if (ret != EOK) {
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
9f2ebf |
+ "sysdb_attrs_add_string failed.\n");
|
|
|
9f2ebf |
+ goto done;
|
|
|
9f2ebf |
+ }
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
- }
|
|
|
9f2ebf |
- } else if (ret == ENOENT) {
|
|
|
9f2ebf |
- if (group_attrs != NULL) {
|
|
|
9f2ebf |
- DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n",
|
|
|
9f2ebf |
- members[c]);
|
|
|
9f2ebf |
|
|
|
9f2ebf |
- /* There were cases where the server returned the same user
|
|
|
9f2ebf |
- * multiple times */
|
|
|
9f2ebf |
- ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST,
|
|
|
9f2ebf |
- members[c]);
|
|
|
9f2ebf |
- if (ret != EOK) {
|
|
|
9f2ebf |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
9f2ebf |
- "sysdb_attrs_add_string failed.\n");
|
|
|
9f2ebf |
- goto done;
|
|
|
9f2ebf |
+ if (missing_members != NULL) {
|
|
|
9f2ebf |
+ missing_members[miss_count] = talloc_strdup(missing_members,
|
|
|
9f2ebf |
+ members[c]);
|
|
|
9f2ebf |
+ if (missing_members[miss_count] == NULL) {
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
9f2ebf |
+ ret = ENOMEM;
|
|
|
9f2ebf |
+ goto done;
|
|
|
9f2ebf |
+ }
|
|
|
9f2ebf |
+ miss_count++;
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
- }
|
|
|
9f2ebf |
+ } else {
|
|
|
9f2ebf |
+ if (group_attrs != NULL) {
|
|
|
9f2ebf |
+ dn_str = ldb_dn_get_linearized(msg->dn);
|
|
|
9f2ebf |
+ if (dn_str == NULL) {
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n");
|
|
|
9f2ebf |
+ ret = EINVAL;
|
|
|
9f2ebf |
+ goto done;
|
|
|
9f2ebf |
+ }
|
|
|
9f2ebf |
+
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n",
|
|
|
9f2ebf |
+ members[c], dn_str);
|
|
|
9f2ebf |
|
|
|
9f2ebf |
- if (missing_members != NULL) {
|
|
|
9f2ebf |
- missing_members[miss_count] = talloc_strdup(missing_members,
|
|
|
9f2ebf |
- members[c]);
|
|
|
9f2ebf |
- if (missing_members[miss_count] == NULL) {
|
|
|
9f2ebf |
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
9f2ebf |
- ret = ENOMEM;
|
|
|
9f2ebf |
- goto done;
|
|
|
9f2ebf |
+ ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER,
|
|
|
9f2ebf |
+ dn_str);
|
|
|
9f2ebf |
+ if (ret != EOK) {
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
9f2ebf |
+ "sysdb_attrs_add_string_safe failed.\n");
|
|
|
9f2ebf |
+ goto done;
|
|
|
9f2ebf |
+ }
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
- miss_count++;
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
} else {
|
|
|
9f2ebf |
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
|
|
|
9f2ebf |
@@ -1649,6 +1657,7 @@ done:
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
|
|
|
9f2ebf |
static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
|
|
|
9f2ebf |
+ bool is_default_view,
|
|
|
9f2ebf |
struct sss_domain_info *dom,
|
|
|
9f2ebf |
size_t ngroups, char **groups,
|
|
|
9f2ebf |
struct ldb_dn ***_dn_list,
|
|
|
9f2ebf |
@@ -1664,6 +1673,7 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
|
|
|
9f2ebf |
size_t n_missing = 0;
|
|
|
9f2ebf |
struct sss_domain_info *obj_domain;
|
|
|
9f2ebf |
struct sss_domain_info *parent_domain;
|
|
|
9f2ebf |
+ const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL};
|
|
|
9f2ebf |
|
|
|
9f2ebf |
tmp_ctx = talloc_new(NULL);
|
|
|
9f2ebf |
if (tmp_ctx == NULL) {
|
|
|
9f2ebf |
@@ -1689,25 +1699,31 @@ static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx,
|
|
|
9f2ebf |
goto done;
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
|
|
|
9f2ebf |
- ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], NULL,
|
|
|
9f2ebf |
+ ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], attrs,
|
|
|
9f2ebf |
&msg;;
|
|
|
9f2ebf |
- if (ret == EOK) {
|
|
|
9f2ebf |
- dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
|
|
|
9f2ebf |
- if (dn_list[n_dns] == NULL) {
|
|
|
9f2ebf |
- DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
|
|
|
9f2ebf |
- ret = ENOMEM;
|
|
|
9f2ebf |
- goto done;
|
|
|
9f2ebf |
+ if (ret == EOK || ret == ENOENT) {
|
|
|
9f2ebf |
+ if (ret == ENOENT
|
|
|
9f2ebf |
+ || (!is_default_view
|
|
|
9f2ebf |
+ && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN,
|
|
|
9f2ebf |
+ NULL) == NULL)) {
|
|
|
9f2ebf |
+ missing_groups[n_missing] = talloc_strdup(missing_groups,
|
|
|
9f2ebf |
+ groups[c]);
|
|
|
9f2ebf |
+ if (missing_groups[n_missing] == NULL) {
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
9f2ebf |
+ ret = ENOMEM;
|
|
|
9f2ebf |
+ goto done;
|
|
|
9f2ebf |
+ }
|
|
|
9f2ebf |
+ n_missing++;
|
|
|
9f2ebf |
+
|
|
|
9f2ebf |
+ } else {
|
|
|
9f2ebf |
+ dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn);
|
|
|
9f2ebf |
+ if (dn_list[n_dns] == NULL) {
|
|
|
9f2ebf |
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
|
|
|
9f2ebf |
+ ret = ENOMEM;
|
|
|
9f2ebf |
+ goto done;
|
|
|
9f2ebf |
+ }
|
|
|
9f2ebf |
+ n_dns++;
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
- n_dns++;
|
|
|
9f2ebf |
- } else if (ret == ENOENT) {
|
|
|
9f2ebf |
- missing_groups[n_missing] = talloc_strdup(missing_groups,
|
|
|
9f2ebf |
- groups[c]);
|
|
|
9f2ebf |
- if (missing_groups[n_missing] == NULL) {
|
|
|
9f2ebf |
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
9f2ebf |
- ret = ENOMEM;
|
|
|
9f2ebf |
- goto done;
|
|
|
9f2ebf |
- }
|
|
|
9f2ebf |
- n_missing++;
|
|
|
9f2ebf |
} else {
|
|
|
9f2ebf |
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_group_by_name failed.\n");
|
|
|
9f2ebf |
goto done;
|
|
|
9f2ebf |
@@ -1803,7 +1819,9 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
|
|
|
9f2ebf |
|
|
|
9f2ebf |
- ret = get_group_dn_list(state, state->dom,
|
|
|
9f2ebf |
+ ret = get_group_dn_list(state,
|
|
|
9f2ebf |
+ is_default_view(state->ipa_ctx->view_name),
|
|
|
9f2ebf |
+ state->dom,
|
|
|
9f2ebf |
attrs->ngroups, attrs->groups,
|
|
|
9f2ebf |
&group_dn_list, &missing_list);
|
|
|
9f2ebf |
if (ret != EOK) {
|
|
|
9f2ebf |
@@ -1832,8 +1850,10 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
break;
|
|
|
9f2ebf |
} else if (attrs->response_type == RESP_GROUP_MEMBERS) {
|
|
|
9f2ebf |
- ret = process_members(state->dom, NULL, attrs->a.group.gr_mem,
|
|
|
9f2ebf |
- state, &missing_list);
|
|
|
9f2ebf |
+ ret = process_members(state->dom,
|
|
|
9f2ebf |
+ is_default_view(state->ipa_ctx->view_name),
|
|
|
9f2ebf |
+ NULL, attrs->a.group.gr_mem, state,
|
|
|
9f2ebf |
+ &missing_list);
|
|
|
9f2ebf |
if (ret != EOK) {
|
|
|
9f2ebf |
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
|
|
|
9f2ebf |
goto done;
|
|
|
9f2ebf |
@@ -2572,8 +2592,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
}
|
|
|
9f2ebf |
|
|
|
9f2ebf |
- ret = process_members(dom, attrs->sysdb_attrs,
|
|
|
9f2ebf |
- attrs->a.group.gr_mem, NULL, NULL);
|
|
|
9f2ebf |
+ ret = process_members(dom, is_default_view(view_name),
|
|
|
9f2ebf |
+ attrs->sysdb_attrs, attrs->a.group.gr_mem,
|
|
|
9f2ebf |
+ NULL, NULL);
|
|
|
9f2ebf |
if (ret != EOK) {
|
|
|
9f2ebf |
DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n");
|
|
|
9f2ebf |
goto done;
|
|
|
9f2ebf |
--
|
|
|
9f2ebf |
2.14.3
|
|
|
9f2ebf |
|