| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
When memberUid attribute is generated, it has to be normalized or
otherwise searches for members against groups in compat tree will fail.
slapi-nis already normalizes elements of a search filter that mention
memberUid attribute values but the original memberUid value should be
normalized as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the case there are no groups in cn=groups map that have certain
memberUid as a member, we look at possibility that this user might
be coming from a trusted AD forest. However, all users from trusted
AD forests do have '@' separator in the name between the user name
and the domain.
In case there is no '@' separator, consider such search as not valid
for lookups in SSSD.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
users via NSS
When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.
The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.
When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.
Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Break out a backend_make_user_entry_from_nsswitch_passwd function for
converting a passwd structure to an entry, and rename the helper for
groups to match it.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Don't depend on a text attribute in a synthetic entry to tell us where
it came from; just record it in the entry's backend_data and consult it
directly later.
|
| |
|
|
|
|
| |
When allocating the array for returning a list of group entries, use
calloc() to ensure that the array is zero-filled, in case resizing it
fails for some reason.
|
| |
|
|
|
|
|
|
| |
Rename backend_staged_data to backend_staged_search.
Fix some formatting.
Change how we walk the list of entries retrieved using a staged search
so that if the map's been removed since the search was staged, we still
free the temporary entry structures.
|
| |
|
|
|
| |
Avoid possibly getting thrown by searches where a specified object class
is a prefix of one that we're looking for.
|
| |
|
|
|
|
|
| |
Avoid using slapi_escape_filter_value(), which is newer than the
versions of directory server which we find in EL6, which leads to an
unresolvable symbol error if/when we try to call it at run-time, taking
down the server.
|
| | |
|
| |
|
|
|
| |
Originally we added a dedicated function to do this, but this was the
only place it was called from.
|
|
|
src/back-sch-nss.c implements interface to query users and groups on
FreeIPA master server via getpwnam_r(), getgrnam_r(), and libsss_idmap.
|
