| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case libsss_nss_idmap provides timeout-enabled NSS API, use it.
This solves a problem of too long queries to an NSS backend with
traditional POSIX NSS API. In case SSSD takes too long to respond
to a query, corresponding 389-ds thread running schema-compat plugin
would stuck waiting that response. It can lead to an exhaustion of
389-ds threads.
A refactored interface to NSS backends is introduced with this commit.
A backend API looks like an API an NSS plugin has to implement in glibc
but also allows to handle timeout-based requests internally.
If backend implements timeout-enabled calls, then
backend_nss_set_timeout() function can be used to modify a per-context
state. There is no need for a caller to know whether backend supports
timeout-enabled calls because either way these calls are synchronous
and backend choice is done at compile-time.
schema-compat plugin uses 10 seconds as its default timeout. One can
change it via 'slapi-nss-timeout' attribute in the plugin config entry.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When SSSD resolves AD users on behalf of slapi-nis, it can accept
any user identifier, including user principal name (UPN) which
may be different than the canonical user name which SSSD returns.
As result, the entry created by slapi-nis will be using canonical user
name but the filter for search will refer to the original (aliased)
name. The search will not match the newly created entry.
Fix this issue by returning two values for 'uid' attribute: the
canonical one and the aliased one. This way search will match.
Verified that SSSD with id_provider=ldap happily consumes such entries.
By LDAP schema, 'uid' attribute can have multiple values.
Fixes https://fedorahosted.org/slapi-nis/ticket/12
|
| |
|
|
|
|
|
|
| |
When memberUid attribute is generated, it has to be normalized or
otherwise searches for members against groups in compat tree will fail.
slapi-nis already normalizes elements of a search filter that mention
memberUid attribute values but the original memberUid value should be
normalized as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the case there are no groups in cn=groups map that have certain
memberUid as a member, we look at possibility that this user might
be coming from a trusted AD forest. However, all users from trusted
AD forests do have '@' separator in the name between the user name
and the domain.
In case there is no '@' separator, consider such search as not valid
for lookups in SSSD.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
users via NSS
When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.
The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.
When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.
Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Break out a backend_make_user_entry_from_nsswitch_passwd function for
converting a passwd structure to an entry, and rename the helper for
groups to match it.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Don't depend on a text attribute in a synthetic entry to tell us where
it came from; just record it in the entry's backend_data and consult it
directly later.
|
| |
|
|
|
|
| |
When allocating the array for returning a list of group entries, use
calloc() to ensure that the array is zero-filled, in case resizing it
fails for some reason.
|
| |
|
|
|
|
|
|
| |
Rename backend_staged_data to backend_staged_search.
Fix some formatting.
Change how we walk the list of entries retrieved using a staged search
so that if the map's been removed since the search was staged, we still
free the temporary entry structures.
|
| |
|
|
|
| |
Avoid possibly getting thrown by searches where a specified object class
is a prefix of one that we're looking for.
|
| |
|
|
|
|
|
| |
Avoid using slapi_escape_filter_value(), which is newer than the
versions of directory server which we find in EL6, which leads to an
unresolvable symbol error if/when we try to call it at run-time, taking
down the server.
|
| | |
|
| |
|
|
|
| |
Originally we added a dedicated function to do this, but this was the
only place it was called from.
|
|
|
src/back-sch-nss.c implements interface to query users and groups on
FreeIPA master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.
|
