|
|
5fca41 |
From b2cd4a74e231611f7862a8bb39a655c5194a035a Mon Sep 17 00:00:00 2001
|
|
|
5fca41 |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
5fca41 |
Date: Thu, 30 May 2019 12:52:33 +0200
|
|
|
5fca41 |
Subject: [PATCH 41/44] sysdb: read and interpret domain's enabled attribute
|
|
|
5fca41 |
|
|
|
5fca41 |
Disable domain if its sysdb object has enabled=false.
|
|
|
5fca41 |
|
|
|
5fca41 |
Resolves:
|
|
|
5fca41 |
https://pagure.io/SSSD/sssd/issue/4009
|
|
|
5fca41 |
|
|
|
5fca41 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
5fca41 |
(cherry picked from commit d278704d85fea74c229b67e6a63b650b0d776c88)
|
|
|
5fca41 |
---
|
|
|
5fca41 |
src/db/sysdb_private.h | 3 ++-
|
|
|
5fca41 |
src/db/sysdb_subdomains.c | 29 ++++++++++++++++++---
|
|
|
5fca41 |
src/tests/cmocka/test_fqnames.c | 2 +-
|
|
|
5fca41 |
src/tests/cmocka/test_negcache.c | 2 +-
|
|
|
5fca41 |
src/tests/cmocka/test_nss_srv.c | 2 +-
|
|
|
5fca41 |
src/tests/cmocka/test_responder_cache_req.c | 2 +-
|
|
|
5fca41 |
src/tests/sysdb-tests.c | 8 +++---
|
|
|
5fca41 |
7 files changed, 35 insertions(+), 13 deletions(-)
|
|
|
5fca41 |
|
|
|
5fca41 |
diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h
|
|
|
5fca41 |
index 58544d826..f3d34dd6f 100644
|
|
|
5fca41 |
--- a/src/db/sysdb_private.h
|
|
|
5fca41 |
+++ b/src/db/sysdb_private.h
|
|
|
5fca41 |
@@ -206,7 +206,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
|
|
5fca41 |
const char *forest,
|
|
|
5fca41 |
const char **upn_suffixes,
|
|
|
5fca41 |
uint32_t trust_direction,
|
|
|
5fca41 |
- struct confdb_ctx *confdb);
|
|
|
5fca41 |
+ struct confdb_ctx *confdb,
|
|
|
5fca41 |
+ bool enabled);
|
|
|
5fca41 |
|
|
|
5fca41 |
/* Helper functions to deal with the timestamp cache should not be used
|
|
|
5fca41 |
* outside the sysdb itself. The timestamp cache should be completely
|
|
|
5fca41 |
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
|
|
5fca41 |
index d467dfce5..cf09b424e 100644
|
|
|
5fca41 |
--- a/src/db/sysdb_subdomains.c
|
|
|
5fca41 |
+++ b/src/db/sysdb_subdomains.c
|
|
|
5fca41 |
@@ -39,7 +39,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
|
|
5fca41 |
const char *forest,
|
|
|
5fca41 |
const char **upn_suffixes,
|
|
|
5fca41 |
uint32_t trust_direction,
|
|
|
5fca41 |
- struct confdb_ctx *confdb)
|
|
|
5fca41 |
+ struct confdb_ctx *confdb,
|
|
|
5fca41 |
+ bool enabled)
|
|
|
5fca41 |
{
|
|
|
5fca41 |
struct sss_domain_info *dom;
|
|
|
5fca41 |
bool inherit_option;
|
|
|
5fca41 |
@@ -127,7 +128,7 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
|
|
|
5fca41 |
dom->enumerate = enumerate;
|
|
|
5fca41 |
dom->fqnames = true;
|
|
|
5fca41 |
dom->mpg_mode = mpg_mode;
|
|
|
5fca41 |
- dom->state = DOM_ACTIVE;
|
|
|
5fca41 |
+ dom->state = enabled ? DOM_ACTIVE : DOM_DISABLED;
|
|
|
5fca41 |
|
|
|
5fca41 |
/* use fully qualified names as output in order to avoid causing
|
|
|
5fca41 |
* conflicts with users who have the same name and either the
|
|
|
5fca41 |
@@ -313,6 +314,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
|
|
|
5fca41 |
SYSDB_SUBDOMAIN_FOREST,
|
|
|
5fca41 |
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
|
|
|
5fca41 |
SYSDB_UPN_SUFFIXES,
|
|
|
5fca41 |
+ SYSDB_ENABLED,
|
|
|
5fca41 |
NULL};
|
|
|
5fca41 |
struct sss_domain_info *dom;
|
|
|
5fca41 |
struct ldb_dn *basedn;
|
|
|
5fca41 |
@@ -322,6 +324,7 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
|
|
|
5fca41 |
const char *id;
|
|
|
5fca41 |
const char *forest;
|
|
|
5fca41 |
const char *str_mpg_mode;
|
|
|
5fca41 |
+ bool enabled;
|
|
|
5fca41 |
enum sss_domain_mpg_mode mpg_mode;
|
|
|
5fca41 |
bool enumerate;
|
|
|
5fca41 |
uint32_t trust_direction;
|
|
|
5fca41 |
@@ -406,10 +409,14 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
|
|
|
5fca41 |
SYSDB_SUBDOMAIN_TRUST_DIRECTION,
|
|
|
5fca41 |
0);
|
|
|
5fca41 |
|
|
|
5fca41 |
+ enabled = ldb_msg_find_attr_as_bool(res->msgs[i], SYSDB_ENABLED, true);
|
|
|
5fca41 |
+
|
|
|
5fca41 |
for (dom = domain->subdomains; dom;
|
|
|
5fca41 |
dom = get_next_domain(dom, SSS_GND_INCLUDE_DISABLED)) {
|
|
|
5fca41 |
if (strcasecmp(dom->name, name) == 0) {
|
|
|
5fca41 |
- sss_domain_set_state(dom, DOM_ACTIVE);
|
|
|
5fca41 |
+ if (enabled) {
|
|
|
5fca41 |
+ sss_domain_set_state(dom, DOM_ACTIVE);
|
|
|
5fca41 |
+ }
|
|
|
5fca41 |
|
|
|
5fca41 |
/* in theory these may change, but it should never happen */
|
|
|
5fca41 |
if (strcasecmp(dom->realm, realm) != 0) {
|
|
|
5fca41 |
@@ -522,7 +529,8 @@ errno_t sysdb_update_subdomains(struct sss_domain_info *domain,
|
|
|
5fca41 |
if (dom == NULL) {
|
|
|
5fca41 |
dom = new_subdomain(domain, domain, name, realm,
|
|
|
5fca41 |
flat, id, mpg_mode, enumerate, forest,
|
|
|
5fca41 |
- upn_suffixes, trust_direction, confdb);
|
|
|
5fca41 |
+ upn_suffixes, trust_direction, confdb,
|
|
|
5fca41 |
+ enabled);
|
|
|
5fca41 |
if (dom == NULL) {
|
|
|
5fca41 |
ret = ENOMEM;
|
|
|
5fca41 |
goto done;
|
|
|
5fca41 |
@@ -548,12 +556,15 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)
|
|
|
5fca41 |
struct ldb_message_element *tmp_el;
|
|
|
5fca41 |
struct ldb_dn *basedn;
|
|
|
5fca41 |
struct ldb_result *res;
|
|
|
5fca41 |
+ enum sss_domain_state state;
|
|
|
5fca41 |
+ bool enabled;
|
|
|
5fca41 |
const char *attrs[] = {"cn",
|
|
|
5fca41 |
SYSDB_SUBDOMAIN_REALM,
|
|
|
5fca41 |
SYSDB_SUBDOMAIN_FLAT,
|
|
|
5fca41 |
SYSDB_SUBDOMAIN_ID,
|
|
|
5fca41 |
SYSDB_SUBDOMAIN_FOREST,
|
|
|
5fca41 |
SYSDB_UPN_SUFFIXES,
|
|
|
5fca41 |
+ SYSDB_ENABLED,
|
|
|
5fca41 |
NULL};
|
|
|
5fca41 |
char *view_name = NULL;
|
|
|
5fca41 |
|
|
|
5fca41 |
@@ -650,6 +661,16 @@ errno_t sysdb_master_domain_update(struct sss_domain_info *domain)
|
|
|
5fca41 |
talloc_zfree(domain->upn_suffixes);
|
|
|
5fca41 |
}
|
|
|
5fca41 |
|
|
|
5fca41 |
+ state = sss_domain_get_state(domain);
|
|
|
5fca41 |
+ enabled = ldb_msg_find_attr_as_bool(res->msgs[0], SYSDB_ENABLED, true);
|
|
|
5fca41 |
+ if (!enabled) {
|
|
|
5fca41 |
+ sss_domain_set_state(domain, DOM_DISABLED);
|
|
|
5fca41 |
+ } else if (state == DOM_DISABLED) {
|
|
|
5fca41 |
+ /* We do not want to enable INACTIVE or INCONSISTENT domain. This
|
|
|
5fca41 |
+ * is managed by data provider. */
|
|
|
5fca41 |
+ sss_domain_set_state(domain, DOM_ACTIVE);
|
|
|
5fca41 |
+ }
|
|
|
5fca41 |
+
|
|
|
5fca41 |
ret = sysdb_get_view_name(tmp_ctx, domain->sysdb, &view_name);
|
|
|
5fca41 |
if (ret != EOK && ret != ENOENT) {
|
|
|
5fca41 |
DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name failed.\n");
|
|
|
5fca41 |
diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c
|
|
|
5fca41 |
index 09f7db0d1..770c0d7bf 100644
|
|
|
5fca41 |
--- a/src/tests/cmocka/test_fqnames.c
|
|
|
5fca41 |
+++ b/src/tests/cmocka/test_fqnames.c
|
|
|
5fca41 |
@@ -310,7 +310,7 @@ static int parse_name_test_setup(void **state)
|
|
|
5fca41 |
*/
|
|
|
5fca41 |
test_ctx->subdom = new_subdomain(dom, dom, SUBDOMNAME, NULL, SUBFLATNAME,
|
|
|
5fca41 |
NULL, MPG_DISABLED, false,
|
|
|
5fca41 |
- NULL, NULL, 0, NULL);
|
|
|
5fca41 |
+ NULL, NULL, 0, NULL, true);
|
|
|
5fca41 |
assert_non_null(test_ctx->subdom);
|
|
|
5fca41 |
|
|
|
5fca41 |
check_leaks_push(test_ctx);
|
|
|
5fca41 |
diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c
|
|
|
5fca41 |
index 0a7e563e0..0876cfdaf 100644
|
|
|
5fca41 |
--- a/src/tests/cmocka/test_negcache.c
|
|
|
5fca41 |
+++ b/src/tests/cmocka/test_negcache.c
|
|
|
5fca41 |
@@ -645,7 +645,7 @@ static void test_sss_ncache_prepopulate(void **state)
|
|
|
5fca41 |
subdomain = new_subdomain(tc, tc->dom,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
false, false, NULL, NULL, 0,
|
|
|
5fca41 |
- tc->confdb);
|
|
|
5fca41 |
+ tc->confdb, true);
|
|
|
5fca41 |
assert_non_null(subdomain);
|
|
|
5fca41 |
|
|
|
5fca41 |
ret = sysdb_subdomain_store(tc->sysdb,
|
|
|
5fca41 |
diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c
|
|
|
5fca41 |
index 0ae177571..95c080caf 100644
|
|
|
5fca41 |
--- a/src/tests/cmocka/test_nss_srv.c
|
|
|
5fca41 |
+++ b/src/tests/cmocka/test_nss_srv.c
|
|
|
5fca41 |
@@ -3475,7 +3475,7 @@ static int nss_subdom_test_setup_common(void **state, bool nonfqnames)
|
|
|
5fca41 |
subdomain = new_subdomain(nss_test_ctx, nss_test_ctx->tctx->dom,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
false, false, NULL, NULL, 0,
|
|
|
5fca41 |
- nss_test_ctx->tctx->confdb);
|
|
|
5fca41 |
+ nss_test_ctx->tctx->confdb, true);
|
|
|
5fca41 |
assert_non_null(subdomain);
|
|
|
5fca41 |
|
|
|
5fca41 |
ret = sysdb_subdomain_store(nss_test_ctx->tctx->sysdb,
|
|
|
5fca41 |
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
|
|
|
5fca41 |
index 47d9aab54..9f3b49cd9 100644
|
|
|
5fca41 |
--- a/src/tests/cmocka/test_responder_cache_req.c
|
|
|
5fca41 |
+++ b/src/tests/cmocka/test_responder_cache_req.c
|
|
|
5fca41 |
@@ -687,7 +687,7 @@ static int test_subdomain_setup(void **state)
|
|
|
5fca41 |
test_ctx->subdomain = new_subdomain(test_ctx, test_ctx->tctx->dom,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
MPG_DISABLED, false, NULL, NULL, 0,
|
|
|
5fca41 |
- test_ctx->tctx->confdb);
|
|
|
5fca41 |
+ test_ctx->tctx->confdb, true);
|
|
|
5fca41 |
assert_non_null(test_ctx->subdomain);
|
|
|
5fca41 |
|
|
|
5fca41 |
ret = sysdb_subdomain_store(test_ctx->tctx->sysdb,
|
|
|
5fca41 |
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
|
|
|
5fca41 |
index ed98fe6ce..832d60466 100644
|
|
|
5fca41 |
--- a/src/tests/sysdb-tests.c
|
|
|
5fca41 |
+++ b/src/tests/sysdb-tests.c
|
|
|
5fca41 |
@@ -1541,7 +1541,7 @@ START_TEST (test_sysdb_get_user_attr_subdomain)
|
|
|
5fca41 |
/* Create subdomain */
|
|
|
5fca41 |
subdomain = new_subdomain(test_ctx, test_ctx->domain,
|
|
|
5fca41 |
"test.sub", "TEST.SUB", "test", "S-3",
|
|
|
5fca41 |
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
|
|
|
5fca41 |
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
|
|
|
5fca41 |
fail_if(subdomain == NULL, "Failed to create new subdomain.");
|
|
|
5fca41 |
|
|
|
5fca41 |
ret = sss_names_init_from_args(test_ctx,
|
|
|
5fca41 |
@@ -6143,7 +6143,7 @@ START_TEST(test_sysdb_subdomain_store_user)
|
|
|
5fca41 |
|
|
|
5fca41 |
subdomain = new_subdomain(test_ctx, test_ctx->domain,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
|
|
|
5fca41 |
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
|
|
|
5fca41 |
fail_unless(subdomain != NULL, "Failed to create new subdomain.");
|
|
|
5fca41 |
ret = sysdb_subdomain_store(test_ctx->sysdb,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
@@ -6222,7 +6222,7 @@ START_TEST(test_sysdb_subdomain_user_ops)
|
|
|
5fca41 |
|
|
|
5fca41 |
subdomain = new_subdomain(test_ctx, test_ctx->domain,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
|
|
|
5fca41 |
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
|
|
|
5fca41 |
fail_unless(subdomain != NULL, "Failed to create new subdomain.");
|
|
|
5fca41 |
ret = sysdb_subdomain_store(test_ctx->sysdb,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
@@ -6295,7 +6295,7 @@ START_TEST(test_sysdb_subdomain_group_ops)
|
|
|
5fca41 |
|
|
|
5fca41 |
subdomain = new_subdomain(test_ctx, test_ctx->domain,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
- MPG_DISABLED, false, NULL, NULL, 0, NULL);
|
|
|
5fca41 |
+ MPG_DISABLED, false, NULL, NULL, 0, NULL, true);
|
|
|
5fca41 |
fail_unless(subdomain != NULL, "Failed to create new subdomain.");
|
|
|
5fca41 |
ret = sysdb_subdomain_store(test_ctx->sysdb,
|
|
|
5fca41 |
testdom[0], testdom[1], testdom[2], testdom[3],
|
|
|
5fca41 |
--
|
|
|
5fca41 |
2.20.1
|
|
|
5fca41 |
|