|
|
ca1eb8 |
From bf4580b2f893cfb29d804a9fe6bb2d6247bb5cf2 Mon Sep 17 00:00:00 2001
|
|
|
ca1eb8 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ca1eb8 |
Date: Sun, 8 Jul 2018 22:17:41 +0200
|
|
|
ca1eb8 |
Subject: [PATCH] SDAP: Detect schemaNamingContext from the rootDSE
|
|
|
ca1eb8 |
MIME-Version: 1.0
|
|
|
ca1eb8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ca1eb8 |
Content-Transfer-Encoding: 8bit
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Whether an attribute is replicated to the Global Catalog or not can be
|
|
|
ca1eb8 |
detected by checking the value of the isMemberOfPartialAttributeSet
|
|
|
ca1eb8 |
attribute:
|
|
|
ca1eb8 |
https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-ismemberofpartialattributeset
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
This attribute is present in all objects with the objectClass
|
|
|
ca1eb8 |
attributeSchema in AD:
|
|
|
ca1eb8 |
https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
And finally, the attributeSchema objects in AD are present in a schema
|
|
|
ca1eb8 |
naming context. The schema naming context is replicated to all DCs in the
|
|
|
ca1eb8 |
forest even though their own naming context might be different:
|
|
|
ca1eb8 |
https://docs.microsoft.com/en-us/windows/desktop/ad/naming-contexts-and-partitions
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Where the schema naming context is located is given by the
|
|
|
ca1eb8 |
schemaNamingContext attribute of the rootDSE.
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
This patch is trivial on its own and just reads schemaNamingContext from
|
|
|
ca1eb8 |
the rootDSE and stores it in the sdap_options structure for later use.
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Related:
|
|
|
ca1eb8 |
https://pagure.io/SSSD/sssd/issue/3755
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
ca1eb8 |
(cherry picked from commit c8d1c1b734a1763b3e1233f060cc5c8d6db078e9)
|
|
|
ca1eb8 |
---
|
|
|
ca1eb8 |
src/providers/ldap/sdap.c | 10 ++++++++++
|
|
|
ca1eb8 |
src/providers/ldap/sdap.h | 3 +++
|
|
|
ca1eb8 |
2 files changed, 13 insertions(+)
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
|
ca1eb8 |
index 0241a99e49e94345753399d5d62639c99b95ee77..5c9d0a45dfb96e8901467aa6a3391b8df84f6d42 100644
|
|
|
ca1eb8 |
--- a/src/providers/ldap/sdap.c
|
|
|
ca1eb8 |
+++ b/src/providers/ldap/sdap.c
|
|
|
ca1eb8 |
@@ -1284,6 +1284,7 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
|
|
|
ca1eb8 |
const char *last_usn_name;
|
|
|
ca1eb8 |
const char *last_usn_value;
|
|
|
ca1eb8 |
const char *entry_usn_name;
|
|
|
ca1eb8 |
+ const char *schema_nc = NULL;
|
|
|
ca1eb8 |
char *endptr = NULL;
|
|
|
ca1eb8 |
int ret;
|
|
|
ca1eb8 |
int i;
|
|
|
ca1eb8 |
@@ -1400,6 +1401,15 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx,
|
|
|
ca1eb8 |
"(%s). Continuing without AD performance enhancements\n",
|
|
|
ca1eb8 |
strerror(ret));
|
|
|
ca1eb8 |
}
|
|
|
ca1eb8 |
+
|
|
|
ca1eb8 |
+ ret = sysdb_attrs_get_string(rootdse,
|
|
|
ca1eb8 |
+ SDAP_ROOTDSE_ATTR_AD_SCHEMA_NC,
|
|
|
ca1eb8 |
+ &schema_nc);
|
|
|
ca1eb8 |
+ if (ret == EOK) {
|
|
|
ca1eb8 |
+ DEBUG(SSSDBG_CONF_SETTINGS,
|
|
|
ca1eb8 |
+ "Will look for schema at [%s]\n", schema_nc);
|
|
|
ca1eb8 |
+ opts->schema_basedn = talloc_strdup(opts, schema_nc);
|
|
|
ca1eb8 |
+ }
|
|
|
ca1eb8 |
}
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
if (!last_usn_name) {
|
|
|
ca1eb8 |
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
|
|
|
ca1eb8 |
index 0790544818633e26ee5a8fbdca556b8230b1df3f..31c25c32f059b4290a7511600cee638ee7a269e8 100644
|
|
|
ca1eb8 |
--- a/src/providers/ldap/sdap.h
|
|
|
ca1eb8 |
+++ b/src/providers/ldap/sdap.h
|
|
|
ca1eb8 |
@@ -130,6 +130,7 @@ struct sdap_ppolicy_data {
|
|
|
ca1eb8 |
#define SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS "namingContexts"
|
|
|
ca1eb8 |
#define SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT "defaultNamingContext"
|
|
|
ca1eb8 |
#define SDAP_ROOTDSE_ATTR_AD_VERSION "domainControllerFunctionality"
|
|
|
ca1eb8 |
+#define SDAP_ROOTDSE_ATTR_AD_SCHEMA_NC "schemaNamingContext"
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
#define SDAP_IPA_USN "entryUSN"
|
|
|
ca1eb8 |
#define SDAP_IPA_LAST_USN "lastUSN"
|
|
|
ca1eb8 |
@@ -496,8 +497,10 @@ struct sdap_options {
|
|
|
ca1eb8 |
/* The search bases for the domain or its subdomain */
|
|
|
ca1eb8 |
struct sdap_domain *sdom;
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
+ /* The options below are normally only used with AD */
|
|
|
ca1eb8 |
bool support_matching_rule;
|
|
|
ca1eb8 |
enum dc_functional_level dc_functional_level;
|
|
|
ca1eb8 |
+ const char *schema_basedn;
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
/* Certificate mapping support */
|
|
|
ca1eb8 |
struct sdap_certmap_ctx *sdap_certmap_ctx;
|
|
|
ca1eb8 |
--
|
|
|
ca1eb8 |
2.17.1
|
|
|
ca1eb8 |
|