| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
- ID View processing should only happen if ID view is defined
- When finding attribute with slapi_entry_attr_find() use correct return
code (slapi_entry_attr_exists() returns 1, _find() returns 0)
- cn=<view>,cn=views,cn=compat,$SUFFIX lookup is fixed
Resolves: rhbz#1277576, rhbz#1265465
https://bugzilla.redhat.com/show_bug.cgi?id=1277576
https://bugzilla.redhat.com/show_bug.cgi?id=1265465
|
| |
|
|
|
|
| |
To keep slapi-nis code portable to older versions of 389-ds-base,
avoid using slapi_entry_attr_exists() as it was only introduced in
389-ds-base 1.3.3.0.
|
| |
|
|
|
|
|
|
| |
If RDN of the bind DN is overridden within the ID view, rewrite the
target to use original value of the uid attribute.
If original uid attribute is not available, fail the search and thus
the whole bind request by claiming that bind DN does not exist.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a
cn=<name of view>,cn=views,<subtree suffix>
As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.
This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.
https://bugzilla.redhat.com/show_bug.cgi?id=1157989
|
|
|
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
|
