|
 |
d6181b |
From d15c205bed16f5d138ce5c9335ed9f4aa7d4c25c Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
d6181b |
Date: Wed, 17 Jul 2019 11:57:23 +0200
|
|
|
d6181b |
Subject: [PATCH 4/4] sudo: use proper datetime for default modifyTimestamp
|
|
|
d6181b |
value
|
|
|
d6181b |
|
|
|
d6181b |
The current default was simply "1", however OpenLDAP server was unable
|
|
|
d6181b |
to compare modifyTimestamp attribute to simple number. A proper datetime
|
|
|
d6181b |
is required by OpenLDAP.
|
|
|
d6181b |
|
|
|
d6181b |
It worked correctly on 389-ds.
|
|
|
d6181b |
|
|
|
d6181b |
Steps to reproduce:
|
|
|
d6181b |
1. install openldap server
|
|
|
d6181b |
2. run sssd
|
|
|
d6181b |
3. there are no sudo rules on the server and there are no cached objects
|
|
|
d6181b |
4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value)
|
|
|
d6181b |
|
|
|
d6181b |
The minimum accepted value by OpenLDAP is 00000101000000Z, as both month and day can not be zero.
|
|
|
d6181b |
|
|
|
d6181b |
Resolves:
|
|
|
d6181b |
https://pagure.io/SSSD/sssd/issue/4046
|
|
|
d6181b |
---
|
|
|
d6181b |
src/providers/ldap/sdap_sudo_shared.c | 18 ++++++++++++++++--
|
|
|
d6181b |
1 file changed, 16 insertions(+), 2 deletions(-)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
|
|
|
d6181b |
index d2f24ed6e..93a977626 100644
|
|
|
d6181b |
--- a/src/providers/ldap/sdap_sudo_shared.c
|
|
|
d6181b |
+++ b/src/providers/ldap/sdap_sudo_shared.c
|
|
|
d6181b |
@@ -123,11 +123,24 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
|
|
|
d6181b |
static char *
|
|
|
d6181b |
sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
|
|
|
d6181b |
unsigned long usn,
|
|
|
d6181b |
- const char *leftover)
|
|
|
d6181b |
+ const char *leftover,
|
|
|
d6181b |
+ bool supports_usn)
|
|
|
d6181b |
{
|
|
|
d6181b |
const char *str = leftover == NULL ? "" : leftover;
|
|
|
d6181b |
char *newusn;
|
|
|
d6181b |
|
|
|
d6181b |
+ /* This is a fresh start and server uses modifyTimestamp. We need to
|
|
|
d6181b |
+ * provide proper datetime value. */
|
|
|
d6181b |
+ if (!supports_usn && usn == 0) {
|
|
|
d6181b |
+ newusn = talloc_strdup(mem_ctx, "00000101000000Z");
|
|
|
d6181b |
+ if (newusn == NULL) {
|
|
|
d6181b |
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
|
|
|
d6181b |
+ return NULL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ return newusn;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
/* We increment USN number so that we can later use simplify filter
|
|
|
d6181b |
* (just usn >= last+1 instead of usn >= last && usn != last).
|
|
|
d6181b |
*/
|
|
|
d6181b |
@@ -178,7 +191,8 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
|
|
|
d6181b |
srv_opts->last_usn = usn_number;
|
|
|
d6181b |
}
|
|
|
d6181b |
|
|
|
d6181b |
- newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr);
|
|
|
d6181b |
+ newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr,
|
|
|
d6181b |
+ srv_opts->supports_usn);
|
|
|
d6181b |
if (newusn == NULL) {
|
|
|
d6181b |
return;
|
|
|
d6181b |
}
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|