dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0114-CONFDB-Fix-standalone-application-domains.patch

bb7cd1
From 8441030009c22daa835f89dbc36365415524b320 Mon Sep 17 00:00:00 2001
bb7cd1
From: Jakub Hrozek <jhrozek@redhat.com>
bb7cd1
Date: Fri, 31 Mar 2017 17:12:56 +0200
bb7cd1
Subject: [PATCH 114/118] CONFDB: Fix standalone application domains
bb7cd1
MIME-Version: 1.0
bb7cd1
Content-Type: text/plain; charset=UTF-8
bb7cd1
Content-Transfer-Encoding: 8bit
bb7cd1
bb7cd1
When a standalone application domain was configured, for example:
bb7cd1
bb7cd1
-------------------------------------------------
bb7cd1
[sssd]
bb7cd1
domains = appdomain
bb7cd1
bb7cd1
[application/appdomain]
bb7cd1
id_provider=ldap
bb7cd1
ldap_uri = ldap://dc.ipa.test
bb7cd1
ldap_search_base = cn=accounts,dc=ipa,dc=test
bb7cd1
ldap_schema = rfc2307bis
bb7cd1
sudo_provider = none
bb7cd1
bb7cd1
ldap_sasl_mech = gssapi
bb7cd1
krb5_realm = IPA.TEST
bb7cd1
krb5_server = dc.ipa.test
bb7cd1
bb7cd1
ldap_user_uid_number = telephonenumber
bb7cd1
ldap_user_gid_number = mobile
bb7cd1
ldap_user_extra_attrs = location:l
bb7cd1
-------------------------------------------------
bb7cd1
bb7cd1
We would, when unrolling the application section into a domain section,
bb7cd1
first add a domain stub, equivalent to:
bb7cd1
-----------------------------
bb7cd1
[domain/appdomain]
bb7cd1
domain_type = application
bb7cd1
-----------------------------
bb7cd1
bb7cd1
Which in config.ldb also contains cn. Then, whem we would add the parameters
bb7cd1
from the [application] section, but try to add the cn again.
bb7cd1
bb7cd1
This didn't happen when inheriting from a POSIX domain, because there we
bb7cd1
would set LDB_FLAG_REPLACE for any attributes that exist in the inherited
bb7cd1
domain.
bb7cd1
bb7cd1
This patch skips the cn attribute both when replacing an inherited
bb7cd1
domain's attributes and when writing a standalone application domain.
bb7cd1
bb7cd1
Resolves:
bb7cd1
https://pagure.io/SSSD/sssd/issue/3355
bb7cd1
bb7cd1
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
bb7cd1
(cherry picked from commit 734e73257fff1c1884b72b8cf988f6d75c3a7567)
bb7cd1
---
bb7cd1
 src/confdb/confdb.c | 26 ++++++++++++++++++++++----
bb7cd1
 1 file changed, 22 insertions(+), 4 deletions(-)
bb7cd1
bb7cd1
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
bb7cd1
index 88e114457deac3ca50c291a131122624fb6f6fe4..5bb593de03cc2fb26218b883fd1d753e31bedc2d 100644
bb7cd1
--- a/src/confdb/confdb.c
bb7cd1
+++ b/src/confdb/confdb.c
bb7cd1
@@ -1909,7 +1909,7 @@ static int confdb_add_app_domain(TALLOC_CTX *mem_ctx,
bb7cd1
 
bb7cd1
     cdb_path = talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL, name);
bb7cd1
     if (cdb_path == NULL) {
bb7cd1
-    return ENOMEM;
bb7cd1
+        return ENOMEM;
bb7cd1
     }
bb7cd1
 
bb7cd1
     val[0] = CONFDB_DOMAIN_TYPE_APP;
bb7cd1
@@ -1933,6 +1933,7 @@ static int confdb_merge_parent_domain(const char *name,
bb7cd1
     struct ldb_message *replace_msg = NULL;
bb7cd1
     struct ldb_message *app_msg = NULL;
bb7cd1
     struct ldb_dn *domain_dn;
bb7cd1
+    struct ldb_message_element *el = NULL;
bb7cd1
     TALLOC_CTX *tmp_ctx = NULL;
bb7cd1
 
bb7cd1
     tmp_ctx = talloc_new(NULL);
bb7cd1
@@ -1974,6 +1975,12 @@ static int confdb_merge_parent_domain(const char *name,
bb7cd1
             replace_msg->elements[i].flags = LDB_FLAG_MOD_ADD;
bb7cd1
         }
bb7cd1
 
bb7cd1
+        el = ldb_msg_find_element(replace_msg, "cn");
bb7cd1
+        if (el != NULL) {
bb7cd1
+            /* Don't add second cn */
bb7cd1
+            ldb_msg_remove_element(replace_msg, el);
bb7cd1
+        }
bb7cd1
+
bb7cd1
         ret = ldb_modify(cdb->ldb, replace_msg);
bb7cd1
         if (ret != LDB_SUCCESS) {
bb7cd1
             ret = sysdb_error_to_errno(ret);
bb7cd1
@@ -1993,7 +2000,14 @@ static int confdb_merge_parent_domain(const char *name,
bb7cd1
     app_msg->dn = domain_dn;
bb7cd1
 
bb7cd1
     for (unsigned i = 0; i < app_section->msgs[0]->num_elements; i++) {
bb7cd1
-        struct ldb_message_element *el = NULL;
bb7cd1
+        struct ldb_message_element *app_el = &app_section->msgs[0]->elements[i];
bb7cd1
+
bb7cd1
+        /* These elements will be skipped when replacing attributes in
bb7cd1
+         * a domain to avoid EEXIST errors
bb7cd1
+         */
bb7cd1
+        if (strcasecmp(app_el->name, "cn") == 0) {
bb7cd1
+            continue;
bb7cd1
+        }
bb7cd1
 
bb7cd1
         if (replace_msg != NULL) {
bb7cd1
             el = ldb_msg_find_element(replace_msg,
bb7cd1
@@ -2013,12 +2027,16 @@ static int confdb_merge_parent_domain(const char *name,
bb7cd1
         ret = ldb_msg_add(app_msg,
bb7cd1
                           &app_section->msgs[0]->elements[i],
bb7cd1
                           ldb_flag);
bb7cd1
-        if (ret != EOK) {
bb7cd1
+        if (ret != LDB_SUCCESS) {
bb7cd1
             continue;
bb7cd1
         }
bb7cd1
     }
bb7cd1
 
bb7cd1
-    ret = ldb_modify(cdb->ldb, app_msg);
bb7cd1
+    /* We use permissive modification here because adding cn or
bb7cd1
+     * distinguishedName from the app_section to the application
bb7cd1
+     * message would throw EEXIST
bb7cd1
+     */
bb7cd1
+    ret = sss_ldb_modify_permissive(cdb->ldb, app_msg);
bb7cd1
     if (ret != LDB_SUCCESS) {
bb7cd1
         ret = sysdb_error_to_errno(ret);
bb7cd1
         DEBUG(SSSDBG_OP_FAILURE,
bb7cd1
-- 
bb7cd1
2.9.3
bb7cd1