|
 |
ced1f5 |
From 3500a7766f5443c9ec50f9c8de27e2dea8c0c234 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ced1f5 |
Date: Mon, 20 Nov 2017 16:41:29 +0100
|
|
|
ced1f5 |
Subject: [PATCH 66/67] IPA: use cache searches in get_groups_dns()
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
If the group name is overridden in the default view we have to search
|
|
|
ced1f5 |
for the name and cannot construct it because the extdom plugin will
|
|
|
ced1f5 |
return the overridden name but the DN of the related group object in the
|
|
|
ced1f5 |
cache will contain the original name.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Related to https://pagure.io/SSSD/sssd/issue/3579
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit f29040342a6d69e170f4543662621f2e27221f91)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ipa/ipa_s2n_exop.c | 27 +++++++++++++++++++--------
|
|
|
ced1f5 |
1 file changed, 19 insertions(+), 8 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
ced1f5 |
index c6132f509dcc8e7af84e03e8bfe20701107d1392..49c393e9a1eb19ab683949cf633a6838274bc0fe 100644
|
|
|
ced1f5 |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
ced1f5 |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
ced1f5 |
@@ -2038,6 +2038,7 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
|
|
|
ced1f5 |
int c;
|
|
|
ced1f5 |
struct sss_domain_info *root_domain;
|
|
|
ced1f5 |
char **dn_list;
|
|
|
ced1f5 |
+ struct ldb_message *msg;
|
|
|
ced1f5 |
|
|
|
ced1f5 |
if (name_list == NULL) {
|
|
|
ced1f5 |
*_dn_list = NULL;
|
|
|
ced1f5 |
@@ -2082,15 +2083,25 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- /* This might fail if some unexpected cases are used. But current
|
|
|
ced1f5 |
- * sysdb code which handles group membership constructs DNs this way
|
|
|
ced1f5 |
- * as well, IPA names are lowercased and AD names by default will be
|
|
|
ced1f5 |
- * lowercased as well. If there are really use-cases which cause an
|
|
|
ced1f5 |
- * issue here, sysdb_group_strdn() has to be replaced by a proper
|
|
|
ced1f5 |
- * search. */
|
|
|
ced1f5 |
- dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
|
|
|
ced1f5 |
+ /* If the group name is overridden in the default view we have to
|
|
|
ced1f5 |
+ * search for the name and cannot construct it because the extdom
|
|
|
ced1f5 |
+ * plugin will return the overridden name but the DN of the related
|
|
|
ced1f5 |
+ * group object in the cache will contain the original name. */
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL,
|
|
|
ced1f5 |
+ &msg;;
|
|
|
ced1f5 |
+ if (ret == EOK) {
|
|
|
ced1f5 |
+ dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn);
|
|
|
ced1f5 |
+ } else {
|
|
|
ced1f5 |
+ /* best effort, try to construct the DN */
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ced1f5 |
+ "sysdb_search_group_by_name failed with [%d], "
|
|
|
ced1f5 |
+ "generating DN for [%s] in domain [%s].\n",
|
|
|
ced1f5 |
+ ret, name_list[c], dom->name);
|
|
|
ced1f5 |
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
if (dn_list[c] == NULL) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n");
|
|
|
ced1f5 |
ret = ENOMEM;
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.14.3
|
|
|
ced1f5 |
|