From 5fcce16c212037b5193556dc2f6bcb7e4d7f0f85 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Sat, 30 Jun 2018 13:21:18 +0200

Subject: [PATCH] LDAP: Remove the legacy POSIX check itself

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

This code is no longer needed now.

Related:

https://pagure.io/SSSD/sssd/issue/3755

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

(cherry picked from commit 5b2b6493dfb3c1f2cb945356e34c70d8c5d64185)

DOWNSTREAM:

Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers

---

 src/providers/ad/ad_common.c     |   2 -

 src/providers/ldap/ldap_common.c |  17 ---

 src/providers/ldap/ldap_common.h |   7 --

 src/providers/ldap/sdap.h        |   1 -

 src/providers/ldap/sdap_async.c  | 174 -------------------------------

 src/providers/ldap/sdap_async.h  |  13 ---

 6 files changed, 214 deletions(-)

diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c

index eaf0814f1aaf51a5085e992efa633240f32c498e..6d395cfb1d4148e803a656a8f7205fe13570085b 100644

--- a/src/providers/ad/ad_common.c

+++ b/src/providers/ad/ad_common.c

@@ -1388,7 +1388,6 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,

         clist[cindex] = ad_ctx->gc_ctx;

         clist[cindex]->ignore_mark_offline = true;

         clist[cindex]->no_mpg_user_fallback = true;

-        clist[cindex]->check_posix_attrs = true;

         cindex++;

     }

@@ -1435,7 +1434,6 @@ ad_user_conn_list(TALLOC_CTX *mem_ctx,

             && IS_SUBDOMAIN(dom)) {

         clist[cindex] = ad_ctx->gc_ctx;

         clist[cindex]->ignore_mark_offline = true;

-        clist[cindex]->check_posix_attrs = true;

         cindex++;

     }

diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c

index a0a9b8523310b2551ee992f8d0c2e369dafaa56d..9cd8ec09c7fdc6bd1c8d64da150178f483f2a5a3 100644

--- a/src/providers/ldap/ldap_common.c

+++ b/src/providers/ldap/ldap_common.c

@@ -884,20 +884,3 @@ sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,

     return sdap_ctx;

 }

-

-bool should_run_posix_check(struct sdap_id_ctx *ctx,

-                            struct sdap_id_conn_ctx *conn,

-                            bool use_id_mapping,

-                            bool posix_request)

-{

-    if (use_id_mapping == false &&

-            posix_request == true &&

-            ctx->opts->schema_type == SDAP_SCHEMA_AD &&

-            conn->check_posix_attrs == true &&

-            ctx->srv_opts &&

-            ctx->srv_opts->posix_checked == false) {

-        return true;

-    }

-

-    return false;

-}

diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h

index 3de3568cb28c258c00f9b522c0b9120adca81d81..6c08d789b339424649c938b845e7118f5ea88f73 100644

--- a/src/providers/ldap/ldap_common.h

+++ b/src/providers/ldap/ldap_common.h

@@ -59,8 +59,6 @@ struct sdap_id_conn_ctx {

     bool ignore_mark_offline;

     /* do not fall back to user lookups for mpg domains on this connection */

     bool no_mpg_user_fallback;

-    /* check if this connection contains POSIX attributes */

-    bool check_posix_attrs;

 };

 struct sdap_id_ctx {

@@ -309,11 +307,6 @@ char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,

                                              const char *princ,

                                              struct dp_option *sdap_basic_opts);

-bool should_run_posix_check(struct sdap_id_ctx *ctx,

-                            struct sdap_id_conn_ctx *conn,

-                            bool id_mapping,

-                            bool posix_request);

-

 char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,

                              const char *base_filter);

diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h

index e892c407103b18a296ae6baaf3dcfff11ca4bf31..0790544818633e26ee5a8fbdca556b8230b1df3f 100644

--- a/src/providers/ldap/sdap.h

+++ b/src/providers/ldap/sdap.h

@@ -511,7 +511,6 @@ struct sdap_server_opts {

     char *max_group_value;

     char *max_service_value;

     char *max_sudo_value;

-    bool posix_checked;

 };

 struct sdap_id_ctx;

diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c

index 1e77b1c3c612d28a7d1f7e686cbc0b094b07c89d..8fc832ae5720acac07b0e2a24255f6c5e3d6994b 100644

--- a/src/providers/ldap/sdap_async.c

+++ b/src/providers/ldap/sdap_async.c

@@ -2572,180 +2572,6 @@ int sdap_asq_search_recv(struct tevent_req *req,

     return EOK;

 }

-/* ==POSIX attribute presence test================================= */

-static void sdap_gc_posix_check_done(struct tevent_req *subreq);

-static errno_t sdap_gc_posix_check_parse(struct sdap_handle *sh,

-                                         struct sdap_msg *msg,

-                                         void *pvt);

-

-struct sdap_gc_posix_check_state {

-    struct tevent_context *ev;

-    struct sdap_options *opts;

-    struct sdap_handle *sh;

-    int timeout;

-

-    const char **attrs;

-    const char *filter;

-

-    bool has_posix;

-};

-

-struct tevent_req *

-sdap_gc_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,

-                         struct sdap_options *opts, struct sdap_handle *sh,

-                         int timeout)

-{

-    struct tevent_req *req = NULL;

-    struct tevent_req *subreq = NULL;

-    struct sdap_gc_posix_check_state *state;

-    errno_t ret;

-

-    req = tevent_req_create(memctx, &state, struct sdap_gc_posix_check_state);

-    if (req == NULL) {

-        return NULL;

-    }

-    state->ev = ev;

-    state->sh = sh;

-    state->opts = opts;

-    state->timeout = timeout;

-

-    state->attrs = talloc_array(state, const char *, 4);

-    if (state->attrs == NULL) {

-        ret = ENOMEM;

-        goto fail;

-    }

-    state->attrs[0] = "objectclass";

-    state->attrs[1] = opts->user_map[SDAP_AT_USER_UID].name;

-    state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name;

-    state->attrs[3] = NULL;

-

-    state->filter = talloc_asprintf(state,

-        "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))",

-                                    opts->user_map[SDAP_AT_USER_UID].name,

-                                    opts->user_map[SDAP_OC_USER].name,

-                                    opts->group_map[SDAP_AT_GROUP_GID].name,

-                                    opts->group_map[SDAP_OC_GROUP].name);

-    if (state->filter == NULL) {

-        ret = ENOMEM;

-        goto fail;

-    }

-

-    subreq = sdap_get_generic_ext_send(state, state->ev, state->opts,

-                                 state->sh,

-                                 "",

-                                 LDAP_SCOPE_SUBTREE, state->filter,

-                                 state->attrs,

-                                 NULL, NULL, 1, state->timeout,

-                                 sdap_gc_posix_check_parse, state,

-                                 SDAP_SRCH_FLG_SIZELIMIT_SILENT);

-    if (subreq == NULL) {

-        ret = ENOMEM;

-        goto fail;

-    }

-    tevent_req_set_callback(subreq, sdap_gc_posix_check_done, req);

-

-    return req;

-

-fail:

-    tevent_req_error(req, ret);

-    tevent_req_post(req, ev);

-    return req;

-}

-

-static errno_t sdap_gc_posix_check_parse(struct sdap_handle *sh,

-                                         struct sdap_msg *msg,

-                                         void *pvt)

-{

-    struct berval **vals = NULL;

-    struct sdap_gc_posix_check_state *state =

-        talloc_get_type(pvt, struct sdap_gc_posix_check_state);

-    char *dn;

-    char *endptr;

-

-    dn = ldap_get_dn(sh->ldap, msg->msg);

-    if (dn == NULL) {

-        DEBUG(SSSDBG_TRACE_LIBS,

-              "Search did not find any entry with POSIX attributes\n");

-        goto done;

-    }

-    DEBUG(SSSDBG_TRACE_LIBS, "Found [%s] with POSIX attributes\n", dn);

-    ldap_memfree(dn);

-

-    vals = ldap_get_values_len(sh->ldap, msg->msg,

-                               state->opts->user_map[SDAP_AT_USER_UID].name);

-    if (vals == NULL) {

-        vals = ldap_get_values_len(sh->ldap, msg->msg,

-                               state->opts->group_map[SDAP_AT_GROUP_GID].name);

-        if (vals == NULL) {

-            DEBUG(SSSDBG_TRACE_LIBS, "Entry does not have POSIX attrs?\n");

-            goto done;

-        }

-    }

-

-    if (vals[0] == NULL) {

-        DEBUG(SSSDBG_TRACE_LIBS, "No value for POSIX attr\n");

-        goto done;

-    }

-

-    errno = 0;

-    strtouint32(vals[0]->bv_val, &endptr, 10);

-    if (errno || *endptr || (vals[0]->bv_val == endptr)) {

-        DEBUG(SSSDBG_MINOR_FAILURE,

-              "POSIX attribute is not a number: %s\n", vals[0]->bv_val);

-    }

-

-    state->has_posix = true;

-done:

-    ldap_value_free_len(vals);

-    return EOK;

-}

-

-static void sdap_gc_posix_check_done(struct tevent_req *subreq)

-{

-    struct tevent_req *req = tevent_req_callback_data(subreq,

-                                                      struct tevent_req);

-    struct sdap_gc_posix_check_state *state =

-        tevent_req_data(req, struct sdap_gc_posix_check_state);

-    errno_t ret;

-

-    ret = sdap_get_generic_ext_recv(subreq, NULL, NULL, NULL);

-    talloc_zfree(subreq);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_OP_FAILURE,

-              "sdap_get_generic_ext_recv failed [%d]: %s\n",

-              ret, strerror(ret));

-        tevent_req_error(req, ret);

-        return;

-    }

-

-    /* Positive hit is definitive, no need to search other bases */

-    if (state->has_posix == true) {

-        DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will "

-                                "be used for user and group lookups. Note that if "

-                                "only a subset of POSIX attributes is present "

-                                "in GC, the non-replicated attributes are "

-                                "currently not read from the LDAP port\n");

-        tevent_req_done(req);

-        return;

-    }

-

-    /* All bases done! */

-    DEBUG(SSSDBG_TRACE_LIBS, "Cycled through all bases\n");

-    tevent_req_done(req);

-}

-

-int sdap_gc_posix_check_recv(struct tevent_req *req,

-                             bool *_has_posix)

-{

-    struct sdap_gc_posix_check_state *state = tevent_req_data(req,

-                                            struct sdap_gc_posix_check_state);

-

-    TEVENT_REQ_RETURN_ON_ERROR(req);

-

-    *_has_posix = state->has_posix;

-    return EOK;

-}

-

 /* ==Generic Deref Search============================================ */

 enum sdap_deref_type {

     SDAP_DEREF_OPENLDAP,

diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h

index 6ca3ed8d82ea7e4cb049b1c65c639b2773b8c296..6d09aca7a3465df4503991f0dc82e2af3871ccd5 100644

--- a/src/providers/ldap/sdap_async.h

+++ b/src/providers/ldap/sdap_async.h

@@ -281,19 +281,6 @@ int sdap_deref_search_recv(struct tevent_req *req,

                            size_t *reply_count,

                            struct sdap_deref_attrs ***reply);

-/*

- * This request should only be ran against a Global Catalog connection

- * because it uses a NULL search base to search all domains in the forest,

- * which would return an error with an LDAP port:

- *  https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx

- */

-struct tevent_req *

-sdap_gc_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,

-                         struct sdap_options *opts, struct sdap_handle *sh,

-                         int timeout);

-

-int sdap_gc_posix_check_recv(struct tevent_req *req,

-                             bool *_has_posix);

 struct tevent_req *

 sdap_sd_search_send(TALLOC_CTX *memctx,

-- 

2.17.1