|
|
8d3578 |
From fbd38903a3c4985e560e6c670ead84597982242e Mon Sep 17 00:00:00 2001
|
|
|
8d3578 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
8d3578 |
Date: Wed, 19 Jun 2019 11:40:56 +0200
|
|
|
8d3578 |
Subject: [PATCH] ipa: use LDAP not extdom to lookup IPA users and groups
|
|
|
8d3578 |
MIME-Version: 1.0
|
|
|
8d3578 |
Content-Type: text/plain; charset=UTF-8
|
|
|
8d3578 |
Content-Transfer-Encoding: 8bit
|
|
|
8d3578 |
|
|
|
8d3578 |
Currently when an IPA client is resolving trusted users and groups with
|
|
|
8d3578 |
the help of the extdom plugin it uses the extdom plugin as well to
|
|
|
8d3578 |
lookup IPA objects. This might cause issues if e.g. there is a user in
|
|
|
8d3578 |
IPA with the same name as a group in AD or the other way round.
|
|
|
8d3578 |
|
|
|
8d3578 |
To solve this and to lower the load on the extdom plugin on the IPA
|
|
|
8d3578 |
server side this patch will lookup IPA object directly from LDAP on the
|
|
|
8d3578 |
IPA server.
|
|
|
8d3578 |
|
|
|
8d3578 |
Related to https://pagure.io/SSSD/sssd/issue/4073
|
|
|
8d3578 |
|
|
|
8d3578 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
8d3578 |
(cherry picked from commit 27b141f38dd04d4b69e609a4cc64676a0716226e)
|
|
|
8d3578 |
---
|
|
|
8d3578 |
src/providers/ipa/ipa_id.c | 11 +-----
|
|
|
8d3578 |
src/providers/ipa/ipa_id.h | 5 +++
|
|
|
8d3578 |
src/providers/ipa/ipa_s2n_exop.c | 67 ++++++++++++++++++++++++++++++++
|
|
|
8d3578 |
3 files changed, 74 insertions(+), 9 deletions(-)
|
|
|
8d3578 |
|
|
|
8d3578 |
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
|
|
|
8d3578 |
index f34692aa2..94d5f9d90 100644
|
|
|
8d3578 |
--- a/src/providers/ipa/ipa_id.c
|
|
|
8d3578 |
+++ b/src/providers/ipa/ipa_id.c
|
|
|
8d3578 |
@@ -30,13 +30,6 @@
|
|
|
8d3578 |
#include "providers/ldap/sdap_async.h"
|
|
|
8d3578 |
#include "providers/ipa/ipa_id.h"
|
|
|
8d3578 |
|
|
|
8d3578 |
-static struct tevent_req *
|
|
|
8d3578 |
-ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
|
|
|
8d3578 |
- struct ipa_id_ctx *ipa_ctx,
|
|
|
8d3578 |
- struct dp_id_data *ar);
|
|
|
8d3578 |
-
|
|
|
8d3578 |
-static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);
|
|
|
8d3578 |
-
|
|
|
8d3578 |
static bool is_object_overridable(struct dp_id_data *ar)
|
|
|
8d3578 |
{
|
|
|
8d3578 |
bool ret = false;
|
|
|
8d3578 |
@@ -516,7 +509,7 @@ static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq);
|
|
|
8d3578 |
static void ipa_id_get_account_info_done(struct tevent_req *subreq);
|
|
|
8d3578 |
static void ipa_id_get_user_list_done(struct tevent_req *subreq);
|
|
|
8d3578 |
|
|
|
8d3578 |
-static struct tevent_req *
|
|
|
8d3578 |
+struct tevent_req *
|
|
|
8d3578 |
ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
|
|
|
8d3578 |
struct ipa_id_ctx *ipa_ctx,
|
|
|
8d3578 |
struct dp_id_data *ar)
|
|
|
8d3578 |
@@ -1120,7 +1113,7 @@ fail:
|
|
|
8d3578 |
return;
|
|
|
8d3578 |
}
|
|
|
8d3578 |
|
|
|
8d3578 |
-static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)
|
|
|
8d3578 |
+int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)
|
|
|
8d3578 |
{
|
|
|
8d3578 |
struct ipa_id_get_account_info_state *state = tevent_req_data(req,
|
|
|
8d3578 |
struct ipa_id_get_account_info_state);
|
|
|
8d3578 |
diff --git a/src/providers/ipa/ipa_id.h b/src/providers/ipa/ipa_id.h
|
|
|
8d3578 |
index fe9acfeef..c18e709b8 100644
|
|
|
8d3578 |
--- a/src/providers/ipa/ipa_id.h
|
|
|
8d3578 |
+++ b/src/providers/ipa/ipa_id.h
|
|
|
8d3578 |
@@ -151,4 +151,9 @@ ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev,
|
|
|
8d3578 |
struct ldb_message_element *users);
|
|
|
8d3578 |
int ipa_resolve_user_list_recv(struct tevent_req *req, int *dp_error);
|
|
|
8d3578 |
|
|
|
8d3578 |
+struct tevent_req *
|
|
|
8d3578 |
+ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
|
|
|
8d3578 |
+ struct ipa_id_ctx *ipa_ctx,
|
|
|
8d3578 |
+ struct dp_id_data *ar);
|
|
|
8d3578 |
+int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);
|
|
|
8d3578 |
#endif
|
|
|
8d3578 |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
8d3578 |
index a07f73200..598b1568e 100644
|
|
|
8d3578 |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
8d3578 |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
8d3578 |
@@ -1121,6 +1121,7 @@ struct ipa_s2n_get_list_state {
|
|
|
8d3578 |
static errno_t ipa_s2n_get_list_step(struct tevent_req *req);
|
|
|
8d3578 |
static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq);
|
|
|
8d3578 |
static void ipa_s2n_get_list_next(struct tevent_req *subreq);
|
|
|
8d3578 |
+static void ipa_s2n_get_list_ipa_next(struct tevent_req *subreq);
|
|
|
8d3578 |
static errno_t ipa_s2n_get_list_save_step(struct tevent_req *req);
|
|
|
8d3578 |
|
|
|
8d3578 |
static struct tevent_req *ipa_s2n_get_list_send(TALLOC_CTX *mem_ctx,
|
|
|
8d3578 |
@@ -1195,6 +1196,7 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
|
|
|
8d3578 |
uint32_t id;
|
|
|
8d3578 |
char *endptr;
|
|
|
8d3578 |
bool need_v1 = false;
|
|
|
8d3578 |
+ struct dp_id_data *ar;
|
|
|
8d3578 |
|
|
|
8d3578 |
parent_domain = get_domains_head(state->dom);
|
|
|
8d3578 |
switch (state->req_input.type) {
|
|
|
8d3578 |
@@ -1222,6 +1224,35 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
|
|
|
8d3578 |
|
|
|
8d3578 |
state->req_input.inp.name = short_name;
|
|
|
8d3578 |
|
|
|
8d3578 |
+ if (strcmp(state->obj_domain->name,
|
|
|
8d3578 |
+ state->ipa_ctx->sdap_id_ctx->be->domain->name) == 0) {
|
|
|
8d3578 |
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
8d3578 |
+ "Looking up IPA object [%s] from LDAP.\n",
|
|
|
8d3578 |
+ state->list[state->list_idx]);
|
|
|
8d3578 |
+ ret = get_dp_id_data_for_user_name(state,
|
|
|
8d3578 |
+ state->list[state->list_idx],
|
|
|
8d3578 |
+ state->obj_domain->name,
|
|
|
8d3578 |
+ &ar);
|
|
|
8d3578 |
+ if (ret != EOK) {
|
|
|
8d3578 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
8d3578 |
+ "Failed to create lookup date for IPA object [%s].\n",
|
|
|
8d3578 |
+ state->list[state->list_idx]);
|
|
|
8d3578 |
+ return ret;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+ ar->entry_type = state->entry_type;
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+ subreq = ipa_id_get_account_info_send(state, state->ev,
|
|
|
8d3578 |
+ state->ipa_ctx, ar);
|
|
|
8d3578 |
+ if (subreq == NULL) {
|
|
|
8d3578 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
8d3578 |
+ "ipa_id_get_account_info_send failed.\n");
|
|
|
8d3578 |
+ return ENOMEM;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+ tevent_req_set_callback(subreq, ipa_s2n_get_list_ipa_next, req);
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+ return EOK;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+
|
|
|
8d3578 |
break;
|
|
|
8d3578 |
case REQ_INP_ID:
|
|
|
8d3578 |
errno = 0;
|
|
|
8d3578 |
@@ -1363,6 +1394,42 @@ fail:
|
|
|
8d3578 |
return;
|
|
|
8d3578 |
}
|
|
|
8d3578 |
|
|
|
8d3578 |
+static void ipa_s2n_get_list_ipa_next(struct tevent_req *subreq)
|
|
|
8d3578 |
+{
|
|
|
8d3578 |
+ int ret;
|
|
|
8d3578 |
+ int dp_error;
|
|
|
8d3578 |
+ struct tevent_req *req = tevent_req_callback_data(subreq,
|
|
|
8d3578 |
+ struct tevent_req);
|
|
|
8d3578 |
+ struct ipa_s2n_get_list_state *state = tevent_req_data(req,
|
|
|
8d3578 |
+ struct ipa_s2n_get_list_state);
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+ ret = ipa_id_get_account_info_recv(subreq, &dp_error);
|
|
|
8d3578 |
+ talloc_zfree(subreq);
|
|
|
8d3578 |
+ if (ret != EOK) {
|
|
|
8d3578 |
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_id_get_account_info failed: %d %d\n", ret,
|
|
|
8d3578 |
+ dp_error);
|
|
|
8d3578 |
+ goto done;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+ state->list_idx++;
|
|
|
8d3578 |
+ if (state->list[state->list_idx] == NULL) {
|
|
|
8d3578 |
+ tevent_req_done(req);
|
|
|
8d3578 |
+ return;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+ ret = ipa_s2n_get_list_step(req);
|
|
|
8d3578 |
+ if (ret != EOK) {
|
|
|
8d3578 |
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_step failed.\n");
|
|
|
8d3578 |
+ goto done;
|
|
|
8d3578 |
+ }
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+ return;
|
|
|
8d3578 |
+
|
|
|
8d3578 |
+done:
|
|
|
8d3578 |
+ tevent_req_error(req,ret);
|
|
|
8d3578 |
+ return;
|
|
|
8d3578 |
+}
|
|
|
8d3578 |
+
|
|
|
8d3578 |
static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq)
|
|
|
8d3578 |
{
|
|
|
8d3578 |
int ret;
|
|
|
8d3578 |
--
|
|
|
8d3578 |
2.20.1
|
|
|
8d3578 |
|