summaryrefslogtreecommitdiffstats
path: root/daemons/ipa-slapi-plugins
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2013-03-05 09:17:20 +0100
committerMartin Kosek <mkosek@redhat.com>2013-03-11 13:55:43 +0100
commit8d432353cc1e66b235e928650764f879c24d19f7 (patch)
treed18385eed8d2779c21eeeef26541d9a6e142ecb7 /daemons/ipa-slapi-plugins
parent6ff20ca2d979f481ce91f013469e53d74a95dd48 (diff)
downloadfreeipa-8d432353cc1e66b235e928650764f879c24d19f7.tar.gz
freeipa-8d432353cc1e66b235e928650764f879c24d19f7.tar.xz
freeipa-8d432353cc1e66b235e928650764f879c24d19f7.zip
Perform secondary rid range overlap check for local ranges only
Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges. https://fedorahosted.org/freeipa/ticket/3391
Diffstat (limited to 'daemons/ipa-slapi-plugins')
-rw-r--r--daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c41
1 files changed, 25 insertions, 16 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index 3a607636d..391e2259b 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -178,6 +178,11 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2)
bool rid_ranges_set = (r1->base_rid != 0 || r1->secondary_base_rid != 0) &&
(r2->base_rid != 0 || r2->secondary_base_rid != 0);
+ /**
+ * ipaNTTrustedDomainSID is not set for local ranges, use it to
+ * determine the type of the range **/
+ bool local_ranges = r1->domain_id == NULL && r2->domain_id == NULL;
+
bool ranges_from_same_domain =
(r1->domain_id == NULL && r2->domain_id == NULL) ||
(r1->domain_id != NULL && r2->domain_id != NULL &&
@@ -185,8 +190,7 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2)
/**
* in case rid range is not set or ranges belong to different domains
- * we can skip rid range tests as they are irrelevant
- */
+ * we can skip rid range tests as they are irrelevant **/
if (rid_ranges_set && ranges_from_same_domain){
/* check if rid range overlaps with existing rid range */
@@ -194,20 +198,25 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2)
r1->id_range_size, r2->id_range_size))
return 2;
- /* check if secondary rid range overlaps with existing secondary rid range */
- if (intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid,
- r1->id_range_size, r2->id_range_size))
- return 3;
-
- /* check if rid range overlaps with existing secondary rid range */
- if (intervals_overlap(r1->base_rid, r2->secondary_base_rid,
- r1->id_range_size, r2->id_range_size))
- return 4;
-
- /* check if secondary rid range overlaps with existing rid range */
- if (intervals_overlap(r1->secondary_base_rid, r2->base_rid,
- r1->id_range_size, r2->id_range_size))
- return 5;
+ /**
+ * The following 3 checks are relevant only if both ranges are local.
+ * Check if secondary rid range overlaps with existing secondary rid
+ * range. **/
+ if (local_ranges){
+ if (intervals_overlap(r1->secondary_base_rid,
+ r2->secondary_base_rid, r1->id_range_size, r2->id_range_size))
+ return 3;
+
+ /* check if rid range overlaps with existing secondary rid range */
+ if (intervals_overlap(r1->base_rid, r2->secondary_base_rid,
+ r1->id_range_size, r2->id_range_size))
+ return 4;
+
+ /* check if secondary rid range overlaps with existing rid range */
+ if (intervals_overlap(r1->secondary_base_rid, r2->base_rid,
+ r1->id_range_size, r2->id_range_size))
+ return 5;
+ }
}
return 0;