| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Initializing map cache may take time. Skip slapi-nis lookups untli
the map cache is ready.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA allows to include external (non-LDAP) members into POSIX groups.
To define external members, an attribute ipaExternalMember is set to
the list of references to external members. Currently both FreeIPA and
SSSD support only references done with SIDs (Security Identifiers) from
the forests trusted by FreeIPA.
Resolving external members of FreeIPA groups requires resolving SIDs to
user and group names. However, since this resolution is already
implemented by SSSD for the group in question, slapi-nis can use the
fact that there is non-empty ipaExternalMember attribute's value to
trigger lookup of the FreeIPA group via SSSD and then copy over
memberUid attribute value set.
This logic requires that ipaExternalMember attribute value is present in
the entry to be put into the map cache. Thus, an additional
configuration is needed for the groups container:
schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
Note that resolving external members of IPA groups requires to use
version of slapi-nis that populates the map cache after LDAP server
startup, as SSSD needs to talk back to the LDAP server in the process of
resolving external group members and that is not possible at the time
when slapi-nis plugin starts up as the LDAP server is not yet listenting
for incoming connections at that point.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- ID View processing should only happen if ID view is defined
- When finding attribute with slapi_entry_attr_find() use correct return
code (slapi_entry_attr_exists() returns 1, _find() returns 0)
- cn=<view>,cn=views,cn=compat,$SUFFIX lookup is fixed
Resolves: rhbz#1277576, rhbz#1265465
https://bugzilla.redhat.com/show_bug.cgi?id=1277576
https://bugzilla.redhat.com/show_bug.cgi?id=1265465
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When slapi-nis plugin responds on a search query, it holds read lock for
the internal structure called 'map cache'. The map cache lock can also be taken
for write when modification would be required like responding to DELETE, ADD, or
MODIFY operations.
As result of the lock semantics, write lock owner is blocked until all read lock
owners release their locks. This is generally not a problem but when readers sent
out LDAP query results, they call into SLAPI function that might take long time
to send out the data due to external reasons (network latencies, clients being
blocked, etc) and all this time map cache is locked for write operations.
When Kerberos KDC issues a TGT, it needs to modify few Kerberos-related attributes
in the principal's LDAP entry. These updates are generating MOD operations visible
by slapi-nis plugin which triggers re-scan of map cache to potentially replace
the affected entries. To perform potential replacement, slapi-nis has to take a write
lock and be blocked by outstanding readers.
Therefore, it is possible to encounter a situation where an LDAP client uses
SASL GSSAPI authentication and existing Kerberos ticket did expire in a course
of outstanding search request. According to LDAPv3 protocol specification, an
LDAP client must perform re-negotiation before reading any outstanding PDUs. It
would ask Kerberos KDC for a new (or renewed) TGT, that would cause MOD updates
for the primary tree which is tracked for changes by slapi-nis. These changes
would be blocked by a slapi-nis reader as the client cannot finish reading
outstanding PDUs yet.
To solve this problem, we avoid sending LDAP entries while keeping map cache
lock. Instead, we generate a linked list of copies of entries which will be
sent out. To allow sharing of entries between multiple parallel queries, we
hash the entry and reference the cached entry in the linked list with increased
reference count. Once entry is actually sent, its reference count decreased and
on reaching zero it is removed from the hash.
The entry in the hash table might become outdated. This is detected by comparing
both modifyTimestamp and entryUSN values of the entry to be sent and entry in the
hash table. If new version of the entry is different, hash table's entry reference
is replaced with a new copy. The old entry is not removed because it is still
referenced by some outstanding query processing. Thus, the hash table always
references the most recent version of an entry but there might be multiple copies
in possesion of the linked lists from the separate parallel queries.
An entry sharing via hash table can be disabled by setting
slapi-entry-cache: 0
in the definition, cn=Schema Compatibility,cn=plugins,cn=config
Resolves: rhbz#1273587
https://bugzilla.redhat.com/show_bug.cgi?id=1273587
|
| |
|
|
|
|
| |
By default initial buffer sizes for getgrent/getgrnam/... functions
are way small for large groups in Active Directory so make sure
we have something reasonable for groups with hundreds or thousands members.
|
| |
|
|
|
|
| |
To keep slapi-nis code portable to older versions of 389-ds-base,
avoid using slapi_entry_attr_exists() as it was only introduced in
389-ds-base 1.3.3.0.
|
| |
|
|
|
|
|
|
| |
If RDN of the bind DN is overridden within the ID view, rewrite the
target to use original value of the uid attribute.
If original uid attribute is not available, fail the search and thus
the whole bind request by claiming that bind DN does not exist.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a
cn=<name of view>,cn=views,<subtree suffix>
As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.
This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.
https://bugzilla.redhat.com/show_bug.cgi?id=1157989
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
|
| |
|
|
|
| |
Avoid calling strdup() in a situation where we don't need to, so that we
can better handle cases where it fails (static analysis).
|
| |
|
|
|
|
| |
Treat "schema-compat-lookup-nsswitch: passwd" in the configuration the
same as "schema-compat-lookup-nsswitch: user", to not fail for people
who forget and try to use the nsswitch database name.
|
| |
|
|
|
|
|
| |
If we hit out-of-memory (strdup() failures) while reading the
configuration, don't crash (static analysis). In some cases,
this means we proceed with garbage data until the copy_config()
function sanity-checks its input and output.
|
| | |
|
| |
|
|
|
| |
map_data_set_entry() passes pointers to the lengths of the key and the value
to map_data_save_list() which interpretes them as arrays of integers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add {nis,schema-compat}-ignore-subtree (subtrees under which we ignore
contents and updates )and {nis,schema-compat}-restrict-subtree (subtrees
out of which we ignore contents and updates, if set) settings, and
default the former to "cn=tasks,cn=config".
This should avoid cases where we're looking through the ldbm backend for
entries which have a dangling reference to a newly-added task (which,
because it's in the DSE, means we acquire an ldbm lock after acquiring
our internal lock) while also updating a compat entry after its source
entry is modified (for example, by the memberOf plugin, which results in
us attempting to acquire our lock while the ldbm lock is already held).
|
| |
|
|
|
|
|
|
|
|
| |
Add a schema-compat-relevant-subtree configuration option, listing the
only parts of the DIT that we should ever look at, either as source
entries or as other entries which contain data which might be pulled in
as part of computing the contents of compat entries.
This is more or less the whitelist to schema-compat-ignore-subtree's
blacklist.
|
| |
|
|
|
|
|
| |
Add a schema-compat-ignore-subtree configuration option, listing parts
of the DIT that we should never look at, neither as source entries nor
as random other entries which contain data which might be pulled in as
part of computing the contents of compat entries.
|
| | |
|
| |
|
|
|
|
| |
Always use normalized RDNs as map keys, so that we can be sure that a
lookup using part of the DN will find the entry, even if it needed to be
escaped and/or normalized to something else at some point.
|
| |
|
|
|
|
| |
Make the addition of extensibleObject to the list of objectclasses
conditional on there being a ipaNTSecurityIdentifier value in the source
entry.
|
| |
|
|
| |
Handle cases where we fail to acquire locks.
|
| |
|
|
|
|
| |
Don't depend on a text attribute in a synthetic entry to tell us where
it came from; just record it in the entry's backend_data and consult it
directly later.
|
| |
|
|
|
| |
If we're sending a result, don't log that we're sending a closest match,
even if it's "(null)", if we're not sending a closest match.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Rename backend_staged_data to backend_staged_search.
Fix some formatting.
Change how we walk the list of entries retrieved using a staged search
so that if the map's been removed since the search was staged, we still
free the temporary entry structures.
|
| | |
|
| |
|
|
|
| |
When we fail to obtain a read lock on the data, attempt to fail the
operation, so that it can be retried later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since trusted domain users do not exist in the LDAP tree, their
authentication is handed over to PAM stack with the hope that PAM is set
up properly to authenticate them.
Additionally, this patch completely refactors authentication for the
original DNs that *are* located in the LDAP tree. Previous way to handle
it was through referrals being sent back. However, this method does not
work at all.
Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand
over pre-bind processing to other directory server's plugins. If
slapi-nis set up with a higher precedence to them, authentication will
be handled by others.
|
| |
|
|
|
|
|
|
|
|
|
| |
Schema-compat plugin can be configured to serve users and groups through
the plugin configuration entry in directory server:
schema-compat-lookup-nsswitch: <user|group>
schema-compat-nsswitch-min-id: <value>
Separate trees should be configured to look up users and groups. If
minimal id value is missing, it will default to 1000.
|
| |
|
|
|
|
|
|
|
| |
consulted
When one instance of schema compat plugin is configured to consult
NSSWITCH, promote its configuration to the backend.
Default to not looking into NSSWITCH.
|
| |
|
|
| |
NSSWITCH supporting code needs access to the schema-compat structures
|
| |
|
|
|
| |
- add missing newlines at the end of a couple of messages
- make that one bit that we compare to zero unsigned instead of signed
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* Check for BETXN support at build-time, provide options for disabling
or requiring that it be available for build to succeed.
* Track whether or not BETXN support is enabled in the plugin-local
state.
* Skip processing in post/internalpost callbacks if BETXN support is enabled.
* Skip work in betxnpost callbacks if BETXN support is disabled.
|
| |
|
|
|
|
|
|
|
|
| |
When NIS Plugin and Schema Compatibility Plugin config entries include
nsslapd-pluginbetxn: on
(the value could be yes, true or 1, too),
the plugins' update callbacks (add, delete, modify, and modrdn) are
called at the betxn pre/postop timing. By default, the value of
nsslapd-pluginbetxn is off.
(See also https://fedorahosted.org/389/ticket/351)
|
| |
|
|
|
|
|
| |
Transaction support the way we added it is an all-or-nothing proposition
for a server installation, which turned out to be problematic, so 389 is
going to pursue another strategy for that. The new way requires that we
not register as a betxn plugin, ever.
|
| |
|
|
| |
entryUSN or the root DSE's lastUSN (if we have no source entry)
|
| | |
|
| |
|
|
| |
reported by Christian Neuhold
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
already have, so that we can pass the transaction ID around; this
includes additional parameters for a number of functions and a new
callback data type for backend_set_config_entry_add_cb()
|
| |
|
|
|
|
| |
allocates internal state each time but doesn't clean up any that's
aready there if you reuse the block
- correctly free values we use when constructing compat entries
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
passing the TXN ID around, which means we deadlock if we actually do it
|
