|
 |
905b4d |
From a3fc740fbfbfd5a2771a3872cf03287879c957c3 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
Date: Thu, 22 Jan 2015 21:20:25 +0100
|
|
|
905b4d |
Subject: [PATCH 179/181] IPA: resolve IPA group-memberships for AD users
|
|
|
905b4d |
|
|
|
905b4d |
So far only for initgroups requests the IPA group memberships where
|
|
|
905b4d |
resolved for AD users and due to
|
|
|
905b4d |
6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not
|
|
|
905b4d |
overridden by other request. But it turned out that the originalMemberOf
|
|
|
905b4d |
attributes related to the IPA group memberships can be overridden by
|
|
|
905b4d |
user lookups. Since the originalMemberOf attribute is important in the
|
|
|
905b4d |
HBAC evaluation this patch makes sure that the originalMemberOf
|
|
|
905b4d |
attribute is not removed but updated during user lookups.
|
|
|
905b4d |
|
|
|
905b4d |
Related to https://fedorahosted.org/sssd/ticket/2560
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
(cherry picked from commit 63748c69a2c6785d949c82f94749704e0408e5a7)
|
|
|
905b4d |
---
|
|
|
905b4d |
src/providers/ipa/ipa_subdomains_ext_groups.c | 3 +-
|
|
|
905b4d |
src/providers/ipa/ipa_subdomains_id.c | 44 +++++++++++++++++++++++++--
|
|
|
905b4d |
2 files changed, 44 insertions(+), 3 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
|
|
|
905b4d |
index 6feca44de537f4c721bfe4ea5e3fde1b946e4aac..b9690bdb682a9348340d22d4b24f0f284671610d 100644
|
|
|
905b4d |
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
|
|
|
905b4d |
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
|
|
|
905b4d |
@@ -452,7 +452,8 @@ struct tevent_req *ipa_get_ad_memberships_send(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
state->domain = domain;
|
|
|
905b4d |
state->dp_error = -1;
|
|
|
905b4d |
|
|
|
905b4d |
- if ((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
|
|
|
905b4d |
+ if (((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
|
|
|
905b4d |
+ && (ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_USER)
|
|
|
905b4d |
|| ar->filter_type != BE_FILTER_NAME) {
|
|
|
905b4d |
DEBUG(SSSDBG_OP_FAILURE, "Unsupported request type.\n");
|
|
|
905b4d |
ret = EINVAL;
|
|
|
905b4d |
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
905b4d |
index 79285548d9470b34d66b366367fb69ef57710f83..c8714a216daff7506f00248e25c281529d0479c4 100644
|
|
|
905b4d |
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
|
905b4d |
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
905b4d |
@@ -1099,6 +1099,8 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
|
|
|
905b4d |
struct ipa_get_ad_acct_state);
|
|
|
905b4d |
errno_t ret;
|
|
|
905b4d |
struct tevent_req *subreq;
|
|
|
905b4d |
+ const char *obj_name;
|
|
|
905b4d |
+ int entry_type;
|
|
|
905b4d |
|
|
|
905b4d |
if (state->override_attrs != NULL) {
|
|
|
905b4d |
/* We are in ipa-server-mode, so the view is the default view by
|
|
|
905b4d |
@@ -1112,13 +1114,51 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
|
|
|
905b4d |
}
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- if ((state->ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS) {
|
|
|
905b4d |
+ entry_type = (state->ar->entry_type & BE_REQ_TYPE_MASK);
|
|
|
905b4d |
+ if (entry_type != BE_REQ_INITGROUPS
|
|
|
905b4d |
+ && entry_type != BE_REQ_USER
|
|
|
905b4d |
+ && entry_type != BE_REQ_BY_SECID) {
|
|
|
905b4d |
tevent_req_done(req);
|
|
|
905b4d |
return EOK;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
+ /* Replace ID with name in search filter */
|
|
|
905b4d |
+ if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM)
|
|
|
905b4d |
+ || entry_type == BE_REQ_BY_SECID) {
|
|
|
905b4d |
+ if (state->obj_msg == NULL) {
|
|
|
905b4d |
+ ret = get_object_from_cache(state, state->obj_dom, state->ar,
|
|
|
905b4d |
+ &state->obj_msg);
|
|
|
905b4d |
+ if (ret == ENOENT) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
905b4d |
+ "Object not found, ending request\n");
|
|
|
905b4d |
+ tevent_req_done(req);
|
|
|
905b4d |
+ return EOK;
|
|
|
905b4d |
+ } else if (ret != EOK) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n");
|
|
|
905b4d |
+ return ret;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ obj_name = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_NAME,
|
|
|
905b4d |
+ NULL);
|
|
|
905b4d |
+ if (obj_name == NULL) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cached object has no name.\n");
|
|
|
905b4d |
+ return EINVAL;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+ state->ar->filter_value = talloc_strdup(state->ar, obj_name);
|
|
|
905b4d |
+ if (state->ar->filter_value == NULL) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
|
|
|
905b4d |
+ return ENOMEM;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+ state->ar->filter_type = BE_FILTER_NAME;
|
|
|
905b4d |
+ state->ar->entry_type = BE_REQ_USER;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+
|
|
|
905b4d |
/* For initgroups request we have to check IPA group memberships of AD
|
|
|
905b4d |
- * users. */
|
|
|
905b4d |
+ * users. This has to be done for other user-request as well to make sure
|
|
|
905b4d |
+ * IPA related attributes are not overwritten. */
|
|
|
905b4d |
subreq = ipa_get_ad_memberships_send(state, state->ev, state->ar,
|
|
|
905b4d |
state->ipa_ctx->server_mode,
|
|
|
905b4d |
state->obj_dom,
|
|
|
905b4d |
--
|
|
|
905b4d |
2.1.0
|
|
|
905b4d |
|