|
 |
bb7cd1 |
From 3abbd7569f96a980676e0323d95301c50acdf062 Mon Sep 17 00:00:00 2001
|
|
|
bb7cd1 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
bb7cd1 |
Date: Wed, 22 Mar 2017 13:06:08 +0100
|
|
|
bb7cd1 |
Subject: [PATCH 70/72] LDAP: save non-POSIX users in application domains
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Related to:
|
|
|
bb7cd1 |
https://pagure.io/SSSD/sssd/issue/3310
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
If a user being saved by the LDAP provider does not have a UID or GID
|
|
|
bb7cd1 |
and the domain type is application, we save the user entry as non-POSIX.
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
bb7cd1 |
---
|
|
|
bb7cd1 |
src/providers/ldap/sdap_async_users.c | 72 +++++++++++++++++++++++++++--------
|
|
|
bb7cd1 |
1 file changed, 57 insertions(+), 15 deletions(-)
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
|
|
|
bb7cd1 |
index 3d957ab584865f74499bc732395388a78965fe5f..265cd7e4f7929c295d5bdcfbd781221b74601f13 100644
|
|
|
bb7cd1 |
--- a/src/providers/ldap/sdap_async_users.c
|
|
|
bb7cd1 |
+++ b/src/providers/ldap/sdap_async_users.c
|
|
|
bb7cd1 |
@@ -112,6 +112,28 @@ done:
|
|
|
bb7cd1 |
return ret;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,
|
|
|
bb7cd1 |
+ const char *pkey)
|
|
|
bb7cd1 |
+{
|
|
|
bb7cd1 |
+ errno_t ret;
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = sysdb_attrs_add_uint32(attrs, pkey, 0);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bb7cd1 |
+ "Failed to add a zero ID to a non-posix object!\n");
|
|
|
bb7cd1 |
+ return ret;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, false);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
bb7cd1 |
+ "Error: Failed to mark objects as non-posix!\n");
|
|
|
bb7cd1 |
+ return ret;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ return EOK;
|
|
|
bb7cd1 |
+}
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
/* FIXME: support storing additional attributes */
|
|
|
bb7cd1 |
int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
struct sdap_options *opts,
|
|
|
bb7cd1 |
@@ -130,8 +152,8 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
const char *homedir;
|
|
|
bb7cd1 |
const char *shell;
|
|
|
bb7cd1 |
const char *orig_dn = NULL;
|
|
|
bb7cd1 |
- uid_t uid;
|
|
|
bb7cd1 |
- gid_t gid;
|
|
|
bb7cd1 |
+ uid_t uid = 0;
|
|
|
bb7cd1 |
+ gid_t gid = 0;
|
|
|
bb7cd1 |
struct sysdb_attrs *user_attrs;
|
|
|
bb7cd1 |
char *upn = NULL;
|
|
|
bb7cd1 |
size_t i;
|
|
|
bb7cd1 |
@@ -146,6 +168,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
size_t c;
|
|
|
bb7cd1 |
char *p1;
|
|
|
bb7cd1 |
char *p2;
|
|
|
bb7cd1 |
+ bool is_posix = true;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
@@ -295,19 +318,29 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
ret = sysdb_attrs_get_uint32_t(attrs,
|
|
|
bb7cd1 |
opts->user_map[SDAP_AT_USER_UID].sys_name,
|
|
|
bb7cd1 |
&uid);
|
|
|
bb7cd1 |
- if (ret != EOK) {
|
|
|
bb7cd1 |
+ if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) {
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
bb7cd1 |
+ "Marking object as non-posix and setting ID=0!\n");
|
|
|
bb7cd1 |
+ ret = sdap_set_non_posix_flag(user_attrs,
|
|
|
bb7cd1 |
+ opts->user_map[SDAP_AT_USER_UID].sys_name);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ goto done;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+ is_posix = false;
|
|
|
bb7cd1 |
+ } else if (ret != EOK) {
|
|
|
bb7cd1 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bb7cd1 |
- "no uid provided for [%s] in domain [%s].\n",
|
|
|
bb7cd1 |
+ "Cannot retrieve UID for [%s] in domain [%s].\n",
|
|
|
bb7cd1 |
user_name, dom->name);
|
|
|
bb7cd1 |
- ret = EINVAL;
|
|
|
bb7cd1 |
+ ret = ERR_NO_POSIX;
|
|
|
bb7cd1 |
goto done;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
- /* check that the uid is valid for this domain */
|
|
|
bb7cd1 |
- if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
|
|
|
bb7cd1 |
- DEBUG(SSSDBG_OP_FAILURE,
|
|
|
bb7cd1 |
- "User [%s] filtered out! (uid out of range)\n",
|
|
|
bb7cd1 |
- user_name);
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
+ /* check that the uid is valid for this domain if the user is a POSIX one */
|
|
|
bb7cd1 |
+ if (is_posix == true && OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
bb7cd1 |
+ "User [%s] filtered out! (uid out of range)\n",
|
|
|
bb7cd1 |
+ user_name);
|
|
|
bb7cd1 |
ret = EINVAL;
|
|
|
bb7cd1 |
goto done;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
@@ -349,17 +382,26 @@ int sdap_save_user(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
ret = sysdb_attrs_get_uint32_t(attrs,
|
|
|
bb7cd1 |
opts->user_map[SDAP_AT_USER_GID].sys_name,
|
|
|
bb7cd1 |
&gid;;
|
|
|
bb7cd1 |
- if (ret != EOK) {
|
|
|
bb7cd1 |
+ if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) {
|
|
|
bb7cd1 |
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
bb7cd1 |
+ "Marking object as non-posix and setting ID=0!\n");
|
|
|
bb7cd1 |
+ ret = sdap_set_non_posix_flag(attrs,
|
|
|
bb7cd1 |
+ opts->user_map[SDAP_AT_USER_GID].sys_name);
|
|
|
bb7cd1 |
+ if (ret != EOK) {
|
|
|
bb7cd1 |
+ goto done;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+ is_posix = false;
|
|
|
bb7cd1 |
+ } else if (ret != EOK) {
|
|
|
bb7cd1 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bb7cd1 |
- "no gid provided for [%s] in domain [%s].\n",
|
|
|
bb7cd1 |
- user_name, dom->name);
|
|
|
bb7cd1 |
- ret = EINVAL;
|
|
|
bb7cd1 |
+ "Cannot retrieve GID for [%s] in domain [%s].\n",
|
|
|
bb7cd1 |
+ user_name, dom->name);
|
|
|
bb7cd1 |
+ ret = ERR_NO_POSIX;
|
|
|
bb7cd1 |
goto done;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
/* check that the gid is valid for this domain */
|
|
|
bb7cd1 |
- if (IS_SUBDOMAIN(dom) == false &&
|
|
|
bb7cd1 |
+ if (is_posix == true && IS_SUBDOMAIN(dom) == false &&
|
|
|
bb7cd1 |
OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
|
|
|
bb7cd1 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
bb7cd1 |
"User [%s] filtered out! (primary gid out of range)\n",
|
|
|
bb7cd1 |
--
|
|
|
bb7cd1 |
2.9.3
|
|
|
bb7cd1 |
|