|
|
ced1f5 |
From 2349423ad813e8a4fe090c283603b4cf18919662 Mon Sep 17 00:00:00 2001
|
|
|
ced1f5 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
ced1f5 |
Date: Mon, 22 Jan 2018 00:02:43 +0100
|
|
|
ced1f5 |
Subject: [PATCH 97/97] DESKPROFILE: Add checks for user and host category
|
|
|
ced1f5 |
MIME-Version: 1.0
|
|
|
ced1f5 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ced1f5 |
Content-Transfer-Encoding: 8bit
|
|
|
ced1f5 |
|
|
|
ced1f5 |
freeipa-deskprofile-plugin can have both user and host category set as
|
|
|
ced1f5 |
"all" and when it happens, no users and groups or hosts or hostgroups
|
|
|
ced1f5 |
are going to be set.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Let's treat this expected (but so far missed) situation on SSSD side.
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Resolves:
|
|
|
ced1f5 |
https://pagure.io/SSSD/sssd/issue/3449
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ced1f5 |
|
|
|
ced1f5 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ced1f5 |
(cherry picked from commit b72e444bc1cd2fe8d9617f09b446c678d4684fff)
|
|
|
ced1f5 |
---
|
|
|
ced1f5 |
src/providers/ipa/ipa_deskprofile_rules_util.c | 100 ++++++++++++++++++++-----
|
|
|
ced1f5 |
1 file changed, 82 insertions(+), 18 deletions(-)
|
|
|
ced1f5 |
|
|
|
ced1f5 |
diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
|
ced1f5 |
index 53c433145666af00a994420ccd1a926b11937fc9..01b7d0527c2a15e0f4d2bdce1867ad0482fca7b0 100644
|
|
|
ced1f5 |
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
|
ced1f5 |
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
|
|
|
ced1f5 |
@@ -684,6 +684,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
|
ced1f5 |
TALLOC_CTX *tmp_ctx;
|
|
|
ced1f5 |
const char *rule_name;
|
|
|
ced1f5 |
const char *data;
|
|
|
ced1f5 |
+ const char *hostcat;
|
|
|
ced1f5 |
+ const char *usercat;
|
|
|
ced1f5 |
char *shortname;
|
|
|
ced1f5 |
char *domainname;
|
|
|
ced1f5 |
char *base_dn;
|
|
|
ced1f5 |
@@ -722,6 +724,28 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
+ ret = sysdb_attrs_get_string(rule, IPA_HOST_CATEGORY, &hostcat);
|
|
|
ced1f5 |
+ if (ret == ENOENT) {
|
|
|
ced1f5 |
+ hostcat = NULL;
|
|
|
ced1f5 |
+ } else if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ced1f5 |
+ "Failed to get the Desktop Profile Rule host category for rule "
|
|
|
ced1f5 |
+ "\"%s\" [%d]: %s\n",
|
|
|
ced1f5 |
+ rule_name, ret, sss_strerror(ret));
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ ret = sysdb_attrs_get_string(rule, IPA_USER_CATEGORY, &usercat);
|
|
|
ced1f5 |
+ if (ret == ENOENT) {
|
|
|
ced1f5 |
+ usercat = NULL;
|
|
|
ced1f5 |
+ } else if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ced1f5 |
+ "Failed to get the Desktop Profile Rule user category for rule "
|
|
|
ced1f5 |
+ "\"%s\" [%d]: %s\n",
|
|
|
ced1f5 |
+ rule_name, ret, sss_strerror(ret));
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
rule_prio = talloc_asprintf(tmp_ctx, "%06d", prio);
|
|
|
ced1f5 |
if (rule_prio == NULL) {
|
|
|
ced1f5 |
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate rule priority\n");
|
|
|
ced1f5 |
@@ -753,26 +777,66 @@ ipa_deskprofile_rules_save_rule_to_disk(
|
|
|
ced1f5 |
goto done;
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
|
|
|
ced1f5 |
- rule_name, rule_prio,
|
|
|
ced1f5 |
- base_dn, username,
|
|
|
ced1f5 |
- &user_prio, &group_prio);
|
|
|
ced1f5 |
- if (ret != EOK) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
- "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
|
|
|
ced1f5 |
- ret, sss_strerror(ret));
|
|
|
ced1f5 |
- goto done;
|
|
|
ced1f5 |
+ if (usercat != NULL && strcasecmp(usercat, "all") == 0) {
|
|
|
ced1f5 |
+ user_prio = talloc_strdup(tmp_ctx, rule_prio);
|
|
|
ced1f5 |
+ if (user_prio == NULL) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
+ "Failed to allocate the user priority "
|
|
|
ced1f5 |
+ "when user category is \"all\"\n");
|
|
|
ced1f5 |
+ ret = ENOMEM;
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ group_prio = talloc_strdup(tmp_ctx, rule_prio);
|
|
|
ced1f5 |
+ if (group_prio == NULL) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
+ "Failed to allocate the group priority "
|
|
|
ced1f5 |
+ "when user category is \"all\"\n");
|
|
|
ced1f5 |
+ ret = ENOMEM;
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+ } else {
|
|
|
ced1f5 |
+ ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
|
|
|
ced1f5 |
+ rule_name, rule_prio,
|
|
|
ced1f5 |
+ base_dn, username,
|
|
|
ced1f5 |
+ &user_prio, &group_prio);
|
|
|
ced1f5 |
+ if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
+ "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
|
|
|
ced1f5 |
+ ret, sss_strerror(ret));
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
- ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
|
|
|
ced1f5 |
- rule_name, rule_prio,
|
|
|
ced1f5 |
- base_dn, hostname,
|
|
|
ced1f5 |
- &host_prio, &hostgroup_prio);
|
|
|
ced1f5 |
- if (ret != EOK) {
|
|
|
ced1f5 |
- DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
- "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
|
|
|
ced1f5 |
- ret, sss_strerror(ret));
|
|
|
ced1f5 |
- goto done;
|
|
|
ced1f5 |
+ if (hostcat != NULL && strcasecmp(hostcat, "all") == 0) {
|
|
|
ced1f5 |
+ host_prio = talloc_strdup(tmp_ctx, rule_prio);
|
|
|
ced1f5 |
+ if (host_prio == NULL) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
+ "Failed to allocate the host priority "
|
|
|
ced1f5 |
+ "when host category is \"all\"\n");
|
|
|
ced1f5 |
+ ret = ENOMEM;
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+
|
|
|
ced1f5 |
+ hostgroup_prio = talloc_strdup(tmp_ctx, rule_prio);
|
|
|
ced1f5 |
+ if (hostgroup_prio == NULL) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
+ "Failed to allocate the hostgroup priority "
|
|
|
ced1f5 |
+ "when host category is \"all\"\n");
|
|
|
ced1f5 |
+ ret = ENOMEM;
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
+ } else {
|
|
|
ced1f5 |
+ ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
|
|
|
ced1f5 |
+ rule_name, rule_prio,
|
|
|
ced1f5 |
+ base_dn, hostname,
|
|
|
ced1f5 |
+ &host_prio, &hostgroup_prio);
|
|
|
ced1f5 |
+ if (ret != EOK) {
|
|
|
ced1f5 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ced1f5 |
+ "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
|
|
|
ced1f5 |
+ ret, sss_strerror(ret));
|
|
|
ced1f5 |
+ goto done;
|
|
|
ced1f5 |
+ }
|
|
|
ced1f5 |
}
|
|
|
ced1f5 |
|
|
|
ced1f5 |
ret = ipa_deskprofile_get_normalized_rule_name(mem_ctx, rule_name,
|
|
|
ced1f5 |
--
|
|
|
ced1f5 |
2.14.3
|
|
|
ced1f5 |
|