slapi-nis.git/src, branch lazy_client SLAPI-NIS slapi-nis: fix processing of ID views 2015-11-13T10:11:20+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-11-03T12:42:05+00:00 1c3ff5952d30ad85ef1739a97045186565fdfc1b - ID View processing should only happen if ID view is defined - When finding attribute with slapi_entry_attr_find() use correct return code (slapi_entry_attr_exists() returns 1, _find() returns 0) - cn=<view>,cn=views,cn=compat,$SUFFIX lookup is fixed Fixes: bug #1277576 https://bugzilla.redhat.com/show_bug.cgi?id=1277576 
- ID View processing should only happen if ID view is defined
- When finding attribute with slapi_entry_attr_find() use correct return
  code (slapi_entry_attr_exists() returns 1, _find() returns 0)
- cn=<view>,cn=views,cn=compat,$SUFFIX lookup is fixed

Fixes: bug #1277576
https://bugzilla.redhat.com/show_bug.cgi?id=1277576
slapi-nis: delay sending responses from compat tree after map search 2015-11-13T10:11:20+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-10-29T16:34:48+00:00 ba60cff6c3355fc56f5608ba2ed6ea3ebc5f2340 When slapi-nis plugin responds on a search query, it holds read lock for the internal structure called 'map cache'. The map cache lock can also be taken for write when modification would be required like responding to DELETE, ADD, or MODIFY operations. As result of the lock semantics, write lock owner is blocked until all read lock owners release their locks. This is generally not a problem but when readers sent out LDAP query results, they call into SLAPI function that might take long time to send out the data due to external reasons (network latencies, clients being blocked, etc) and all this time map cache is locked for write operations. When Kerberos KDC issues a TGT, it needs to modify few Kerberos-related attributes in the principal's LDAP entry. These updates are generating MOD operations visible by slapi-nis plugin which triggers re-scan of map cache to potentially replace the affected entries. To perform potential replacement, slapi-nis has to take a write lock and be blocked by outstanding readers. Therefore, it is possible to encounter a situation where an LDAP client uses SASL GSSAPI authentication and existing Kerberos ticket did expire in a course of outstanding search request. According to LDAPv3 protocol specification, an LDAP client must perform re-negotiation before reading any outstanding PDUs. It would ask Kerberos KDC for a new (or renewed) TGT, that would cause MOD updates for the primary tree which is tracked for changes by slapi-nis. These changes would be blocked by a slapi-nis reader as the client cannot finish reading outstanding PDUs yet. To solve this problem, we avoid sending LDAP entries while keeping map cache lock. Instead, we generate a linked list of copies of entries which will be sent out. To allow sharing of entries between multiple parallel queries, we hash the entry and reference the cached entry in the linked list with increased reference count. Once entry is actually sent, its reference count decreased and on reaching zero it is removed from the hash. o solve this problem, we avoid sending LDAP entries while keeping map cache lock. Instead, we generate a linked list of copies of entries which will be sent out. To allow sharing of entries between multiple parallel queries, we hash the entry and reference the cached entry in the linked list with increased reference count. Once entry is actually sent, its reference count decreased and on reaching zero it is removed from the hash. The entry in the hash table might become outdated. This is detected by comparing both modifyTimestamp and entryUSN values of the entry to be sent and entry in the hash table. If new version of the entry is different, hash table's entry reference is replaced with a new copy. The old entry is not removed because it is still referenced by some outstanding query processing. Thus, the hash table always references the most recent version of an entry but there might be multiple copies in possesion of the linked lists from the separate parallel queries. An entry sharing via hash table can be disabled by setting slapi-entry-cache: 0 in the definition, cn=Schema Compatibility,cn=plugins,cn=config Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1273587 
When slapi-nis plugin responds on a search query, it holds read lock for
the internal structure called 'map cache'. The map cache lock can also be taken
for write when modification would be required like responding to DELETE, ADD, or
MODIFY operations.

As result of the lock semantics, write lock owner is blocked until all read lock
owners release their locks. This is generally not a problem but when readers sent
out LDAP query results, they call into SLAPI function that might take long time
to send out the data due to external reasons (network latencies, clients being
blocked, etc) and all this time map cache is locked for write operations.

When Kerberos KDC issues a TGT, it needs to modify few Kerberos-related attributes
in the principal's LDAP entry. These updates are generating MOD operations visible
by slapi-nis plugin which triggers re-scan of map cache to potentially replace
the affected entries. To perform potential replacement, slapi-nis has to take a write
lock and be blocked by outstanding readers.

Therefore, it is possible to encounter a situation where an LDAP client uses
SASL GSSAPI authentication and existing Kerberos ticket did expire in a course
of outstanding search request. According to LDAPv3 protocol specification, an
LDAP client must perform re-negotiation before reading any outstanding PDUs. It
would ask Kerberos KDC for a new (or renewed) TGT, that would cause MOD updates
for the primary tree which is tracked for changes by slapi-nis. These changes
would be blocked by a slapi-nis reader as the client cannot finish reading
outstanding PDUs yet.

To solve this problem, we avoid sending LDAP entries while keeping map cache
lock. Instead, we generate a linked list of copies of entries which will be
sent out. To allow sharing of entries between multiple parallel queries, we
hash the entry and reference the cached entry in the linked list with increased
reference count. Once entry is actually sent, its reference count decreased and
on reaching zero it is removed from the hash.

o solve this problem, we avoid sending LDAP entries while keeping map cache
lock. Instead, we generate a linked list of copies of entries which will be
sent out. To allow sharing of entries between multiple parallel queries, we
hash the entry and reference the cached entry in the linked list with increased
reference count. Once entry is actually sent, its reference count decreased and
on reaching zero it is removed from the hash.

The entry in the hash table might become outdated. This is detected by comparing
both modifyTimestamp and entryUSN values of the entry to be sent and entry in the
hash table. If new version of the entry is different, hash table's entry reference
is replaced with a new copy. The old entry is not removed because it is still
referenced by some outstanding query processing. Thus, the hash table always
references the most recent version of an entry but there might be multiple copies
in possesion of the linked lists from the separate parallel queries.

An entry sharing via hash table can be disabled by setting
        slapi-entry-cache: 0
in the definition, cn=Schema Compatibility,cn=plugins,cn=config

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1273587
slapi-nis: don't search in SSSD when memberUid has no '@' separator 2015-07-28T12:37:24+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-07-16T14:07:31+00:00 9666cede23d150326b65c7fb6c7f760fe515b7e4 In the case there are no groups in cn=groups map that have certain memberUid as a member, we look at possibility that this user might be coming from a trusted AD forest. However, all users from trusted AD forests do have '@' separator in the name between the user name and the domain. In case there is no '@' separator, consider such search as not valid for lookups in SSSD. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823 
In the case there are no groups in cn=groups map that have certain
memberUid as a member, we look at possibility that this user might
be coming from a trusted AD forest. However, all users from trusted
AD forests do have '@' separator in the name between the user name
and the domain.

In case there is no '@' separator, consider such search as not valid
for lookups in SSSD.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
Make sure default buffer for nsswitch operations is big enough 2015-03-26T08:46:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-02-25T08:08:39+00:00 dd1d44730f2724986f820151d6ec2a49f6e52ddf By default initial buffer sizes for getgrent/getgrnam/... functions are way small for large groups in Active Directory so make sure we have something reasonable for groups with hundreds or thousands members. 
By default initial buffer sizes for getgrent/getgrnam/... functions
are way small for large groups in Active Directory so make sure
we have something reasonable for groups with hundreds or thousands members.
nss: make sure to remember the length of reallocated buffer 2015-03-26T08:46:39+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-02-24T11:18:34+00:00 44c97a46a1920f6db18b8c90b396a94a653d755c 






schema-compat: use libnss_sss.so.2 explicitly to resolve trusted domain users via NSS
2015-03-26T08:46:29+00:00

Alexander Bokovoy
abokovoy@redhat.com

2014-11-12T11:23:17+00:00

3368b2c04c870ffa5bfb831980d28bfa50534e0b

When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.

The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.





When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.

The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.







Use slapi_entry_find_attr instead of slapi_entry_attr_exists
2015-03-26T08:45:21+00:00

Alexander Bokovoy
abokovoy@redhat.com

2014-10-14T14:25:46+00:00

13ebc3edfe1d6d8888f3d70f189638cf5ddd71ed

To keep slapi-nis code portable to older versions of 389-ds-base,
avoid using slapi_entry_attr_exists() as it was only introduced in
389-ds-base 1.3.3.0.





To keep slapi-nis code portable to older versions of 389-ds-base,
avoid using slapi_entry_attr_exists() as it was only introduced in
389-ds-base 1.3.3.0.







schema-compat: support ID overrides in bind callback
2014-10-30T12:16:06+00:00

Alexander Bokovoy
abokovoy@redhat.com

2014-10-28T09:16:50+00:00

c9c9d1413a6950344bc842024fda84212cc7322f

If RDN of the bind DN is overridden within the ID view, rewrite the
target to use original value of the uid attribute.

If original uid attribute is not available, fail the search and thus
the whole bind request by claiming that bind DN does not exist.





If RDN of the bind DN is overridden within the ID view, rewrite the
target to use original value of the uid attribute.

If original uid attribute is not available, fail the search and thus
the whole bind request by claiming that bind DN does not exist.







ID views: ignore searches for views outside the subtrees of schema-compat sets
2014-10-30T12:15:52+00:00

Alexander Bokovoy
abokovoy@redhat.com

2014-10-28T08:09:47+00:00

778c95866f28d894822e37223b69816981d29529

schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a

  cn=<name of view>,cn=views,<subtree suffix>

As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.

This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for  cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.

https://bugzilla.redhat.com/show_bug.cgi?id=1157989





schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a

  cn=<name of view>,cn=views,<subtree suffix>

As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.

This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for  cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.

https://bugzilla.redhat.com/show_bug.cgi?id=1157989







slapi-nis: normalize memberUid search filter when searching AD users
2014-10-10T08:58:35+00:00

Alexander Bokovoy
abokovoy@redhat.com

2014-10-09T10:52:38+00:00

c407d5a83e505ee0f1b606c801ededf3a38f6145

memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.

When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.

Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.

https://bugzilla.redhat.com/show_bug.cgi?id=1130131





memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.

When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.

Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.

https://bugzilla.redhat.com/show_bug.cgi?id=1130131