From 5fcce16c212037b5193556dc2f6bcb7e4d7f0f85 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sat, 30 Jun 2018 13:21:18 +0200
Subject: [PATCH] LDAP: Remove the legacy POSIX check itself
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This code is no longer needed now.
Related:
https://pagure.io/SSSD/sssd/issue/3755
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 5b2b6493dfb3c1f2cb945356e34c70d8c5d64185)
DOWNSTREAM:
Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers
---
src/providers/ad/ad_common.c | 2 -
src/providers/ldap/ldap_common.c | 17 ---
src/providers/ldap/ldap_common.h | 7 --
src/providers/ldap/sdap.h | 1 -
src/providers/ldap/sdap_async.c | 174 -------------------------------
src/providers/ldap/sdap_async.h | 13 ---
6 files changed, 214 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index eaf0814f1aaf51a5085e992efa633240f32c498e..6d395cfb1d4148e803a656a8f7205fe13570085b 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1388,7 +1388,6 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
clist[cindex] = ad_ctx->gc_ctx;
clist[cindex]->ignore_mark_offline = true;
clist[cindex]->no_mpg_user_fallback = true;
- clist[cindex]->check_posix_attrs = true;
cindex++;
}
@@ -1435,7 +1434,6 @@ ad_user_conn_list(TALLOC_CTX *mem_ctx,
&& IS_SUBDOMAIN(dom)) {
clist[cindex] = ad_ctx->gc_ctx;
clist[cindex]->ignore_mark_offline = true;
- clist[cindex]->check_posix_attrs = true;
cindex++;
}
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index a0a9b8523310b2551ee992f8d0c2e369dafaa56d..9cd8ec09c7fdc6bd1c8d64da150178f483f2a5a3 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -884,20 +884,3 @@ sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx,
return sdap_ctx;
}
-
-bool should_run_posix_check(struct sdap_id_ctx *ctx,
- struct sdap_id_conn_ctx *conn,
- bool use_id_mapping,
- bool posix_request)
-{
- if (use_id_mapping == false &&
- posix_request == true &&
- ctx->opts->schema_type == SDAP_SCHEMA_AD &&
- conn->check_posix_attrs == true &&
- ctx->srv_opts &&
- ctx->srv_opts->posix_checked == false) {
- return true;
- }
-
- return false;
-}
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 3de3568cb28c258c00f9b522c0b9120adca81d81..6c08d789b339424649c938b845e7118f5ea88f73 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -59,8 +59,6 @@ struct sdap_id_conn_ctx {
bool ignore_mark_offline;
/* do not fall back to user lookups for mpg domains on this connection */
bool no_mpg_user_fallback;
- /* check if this connection contains POSIX attributes */
- bool check_posix_attrs;
};
struct sdap_id_ctx {
@@ -309,11 +307,6 @@ char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,
const char *princ,
struct dp_option *sdap_basic_opts);
-bool should_run_posix_check(struct sdap_id_ctx *ctx,
- struct sdap_id_conn_ctx *conn,
- bool id_mapping,
- bool posix_request);
-
char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,
const char *base_filter);
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index e892c407103b18a296ae6baaf3dcfff11ca4bf31..0790544818633e26ee5a8fbdca556b8230b1df3f 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -511,7 +511,6 @@ struct sdap_server_opts {
char *max_group_value;
char *max_service_value;
char *max_sudo_value;
- bool posix_checked;
};
struct sdap_id_ctx;
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 1e77b1c3c612d28a7d1f7e686cbc0b094b07c89d..8fc832ae5720acac07b0e2a24255f6c5e3d6994b 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -2572,180 +2572,6 @@ int sdap_asq_search_recv(struct tevent_req *req,
return EOK;
}
-/* ==POSIX attribute presence test================================= */
-static void sdap_gc_posix_check_done(struct tevent_req *subreq);
-static errno_t sdap_gc_posix_check_parse(struct sdap_handle *sh,
- struct sdap_msg *msg,
- void *pvt);
-
-struct sdap_gc_posix_check_state {
- struct tevent_context *ev;
- struct sdap_options *opts;
- struct sdap_handle *sh;
- int timeout;
-
- const char **attrs;
- const char *filter;
-
- bool has_posix;
-};
-
-struct tevent_req *
-sdap_gc_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,
- struct sdap_options *opts, struct sdap_handle *sh,
- int timeout)
-{
- struct tevent_req *req = NULL;
- struct tevent_req *subreq = NULL;
- struct sdap_gc_posix_check_state *state;
- errno_t ret;
-
- req = tevent_req_create(memctx, &state, struct sdap_gc_posix_check_state);
- if (req == NULL) {
- return NULL;
- }
- state->ev = ev;
- state->sh = sh;
- state->opts = opts;
- state->timeout = timeout;
-
- state->attrs = talloc_array(state, const char *, 4);
- if (state->attrs == NULL) {
- ret = ENOMEM;
- goto fail;
- }
- state->attrs[0] = "objectclass";
- state->attrs[1] = opts->user_map[SDAP_AT_USER_UID].name;
- state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name;
- state->attrs[3] = NULL;
-
- state->filter = talloc_asprintf(state,
- "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))",
- opts->user_map[SDAP_AT_USER_UID].name,
- opts->user_map[SDAP_OC_USER].name,
- opts->group_map[SDAP_AT_GROUP_GID].name,
- opts->group_map[SDAP_OC_GROUP].name);
- if (state->filter == NULL) {
- ret = ENOMEM;
- goto fail;
- }
-
- subreq = sdap_get_generic_ext_send(state, state->ev, state->opts,
- state->sh,
- "",
- LDAP_SCOPE_SUBTREE, state->filter,
- state->attrs,
- NULL, NULL, 1, state->timeout,
- sdap_gc_posix_check_parse, state,
- SDAP_SRCH_FLG_SIZELIMIT_SILENT);
- if (subreq == NULL) {
- ret = ENOMEM;
- goto fail;
- }
- tevent_req_set_callback(subreq, sdap_gc_posix_check_done, req);
-
- return req;
-
-fail:
- tevent_req_error(req, ret);
- tevent_req_post(req, ev);
- return req;
-}
-
-static errno_t sdap_gc_posix_check_parse(struct sdap_handle *sh,
- struct sdap_msg *msg,
- void *pvt)
-{
- struct berval **vals = NULL;
- struct sdap_gc_posix_check_state *state =
- talloc_get_type(pvt, struct sdap_gc_posix_check_state);
- char *dn;
- char *endptr;
-
- dn = ldap_get_dn(sh->ldap, msg->msg);
- if (dn == NULL) {
- DEBUG(SSSDBG_TRACE_LIBS,
- "Search did not find any entry with POSIX attributes\n");
- goto done;
- }
- DEBUG(SSSDBG_TRACE_LIBS, "Found [%s] with POSIX attributes\n", dn);
- ldap_memfree(dn);
-
- vals = ldap_get_values_len(sh->ldap, msg->msg,
- state->opts->user_map[SDAP_AT_USER_UID].name);
- if (vals == NULL) {
- vals = ldap_get_values_len(sh->ldap, msg->msg,
- state->opts->group_map[SDAP_AT_GROUP_GID].name);
- if (vals == NULL) {
- DEBUG(SSSDBG_TRACE_LIBS, "Entry does not have POSIX attrs?\n");
- goto done;
- }
- }
-
- if (vals[0] == NULL) {
- DEBUG(SSSDBG_TRACE_LIBS, "No value for POSIX attr\n");
- goto done;
- }
-
- errno = 0;
- strtouint32(vals[0]->bv_val, &endptr, 10);
- if (errno || *endptr || (vals[0]->bv_val == endptr)) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "POSIX attribute is not a number: %s\n", vals[0]->bv_val);
- }
-
- state->has_posix = true;
-done:
- ldap_value_free_len(vals);
- return EOK;
-}
-
-static void sdap_gc_posix_check_done(struct tevent_req *subreq)
-{
- struct tevent_req *req = tevent_req_callback_data(subreq,
- struct tevent_req);
- struct sdap_gc_posix_check_state *state =
- tevent_req_data(req, struct sdap_gc_posix_check_state);
- errno_t ret;
-
- ret = sdap_get_generic_ext_recv(subreq, NULL, NULL, NULL);
- talloc_zfree(subreq);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "sdap_get_generic_ext_recv failed [%d]: %s\n",
- ret, strerror(ret));
- tevent_req_error(req, ret);
- return;
- }
-
- /* Positive hit is definitive, no need to search other bases */
- if (state->has_posix == true) {
- DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will "
- "be used for user and group lookups. Note that if "
- "only a subset of POSIX attributes is present "
- "in GC, the non-replicated attributes are "
- "currently not read from the LDAP port\n");
- tevent_req_done(req);
- return;
- }
-
- /* All bases done! */
- DEBUG(SSSDBG_TRACE_LIBS, "Cycled through all bases\n");
- tevent_req_done(req);
-}
-
-int sdap_gc_posix_check_recv(struct tevent_req *req,
- bool *_has_posix)
-{
- struct sdap_gc_posix_check_state *state = tevent_req_data(req,
- struct sdap_gc_posix_check_state);
-
- TEVENT_REQ_RETURN_ON_ERROR(req);
-
- *_has_posix = state->has_posix;
- return EOK;
-}
-
/* ==Generic Deref Search============================================ */
enum sdap_deref_type {
SDAP_DEREF_OPENLDAP,
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 6ca3ed8d82ea7e4cb049b1c65c639b2773b8c296..6d09aca7a3465df4503991f0dc82e2af3871ccd5 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -281,19 +281,6 @@ int sdap_deref_search_recv(struct tevent_req *req,
size_t *reply_count,
struct sdap_deref_attrs ***reply);
-/*
- * This request should only be ran against a Global Catalog connection
- * because it uses a NULL search base to search all domains in the forest,
- * which would return an error with an LDAP port:
- * https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx
- */
-struct tevent_req *
-sdap_gc_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev,
- struct sdap_options *opts, struct sdap_handle *sh,
- int timeout);
-
-int sdap_gc_posix_check_recv(struct tevent_req *req,
- bool *_has_posix);
struct tevent_req *
sdap_sd_search_send(TALLOC_CTX *memctx,
--
2.17.1