| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case there are no groups in cn=groups map that have certain
memberUid as a member, we look at possibility that this user might
be coming from a trusted AD forest. However, all users from trusted
AD forests do have '@' separator in the name between the user name
and the domain.
In case there is no '@' separator, consider such search as not valid
for lookups in SSSD.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1243823
|
|
|
|
|
|
| |
By default initial buffer sizes for getgrent/getgrnam/... functions
are way small for large groups in Active Directory so make sure
we have something reasonable for groups with hundreds or thousands members.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
users via NSS
When Schema Compatibility plugin is configured to enumerate users and groups
from Active Directory domains trusted by FreeIPA, use nss_sss module directly
instead of following nsswitch.conf configuration.
The issue with nsswitch.conf configuration is in the fact that for each request
all modules in NSS chain are processed while only one of them is responsible
for users from trusted Active Directory domains, namely, nss_sss.
|
|
|
|
|
|
| |
To keep slapi-nis code portable to older versions of 389-ds-base,
avoid using slapi_entry_attr_exists() as it was only introduced in
389-ds-base 1.3.3.0.
|
|
|
|
|
|
|
|
| |
If RDN of the bind DN is overridden within the ID view, rewrite the
target to use original value of the uid attribute.
If original uid attribute is not available, fail the search and thus
the whole bind request by claiming that bind DN does not exist.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a
cn=<name of view>,cn=views,<subtree suffix>
As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.
This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.
https://bugzilla.redhat.com/show_bug.cgi?id=1157989
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.
When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.
Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FreeIPA ID views allow to override POSIX attributes for certain
users and groups.
A support is added to allow using specific ID view when serving
compatibility tree. Each user or group entry which has an override
in the view is amended with the overridden values from the view
before served out to the LDAP client.
A view to use is specified as a part of base DN:
cn=<view>,cn=views,cn=compat,$SUFFIX
where cn=compat,$SUFFIX is the original compatibility tree base DN.
Each entry, when served through the view, gets new DN rewritten to
specify the view. Additionally, if override in the view changes
uid (for users) or cn (for groups) attribute, the entry's RDN is changed
accordingly.
For groups memberUid attribute is modified as well in case there is an override
in the view that changes uid value of that member.
FreeIPA ID views support overrides for users of trusted Active Directory domains.
In case of a trusted AD domain's user or group is returned via compatibility tree,
view overrides are applied in two stages:
1. SSSD applies default view for AD users
2. slapi-nis applies explicitly specified (host-specific) view
on top of the entry returned by SSSD
Thus, slapi-nis does not need to apply default view for AD users and if there are
no host-specific views in use, there is no need to specify a view in the base DN,
making overhead of a default view for AD users lower.
|
|
|
|
|
| |
The values for NIS hosts.byname and hosts.byaddr maps should start with
addresses, not names. Reported by Rik Megens.
|
|
|
|
|
| |
Avoid calling strdup() in a situation where we don't need to, so that we
can better handle cases where it fails (static analysis).
|
|
|
|
|
|
| |
Treat "schema-compat-lookup-nsswitch: passwd" in the configuration the
same as "schema-compat-lookup-nsswitch: user", to not fail for people
who forget and try to use the nsswitch database name.
|
|
|
|
|
|
|
| |
If we hit out-of-memory (strdup() failures) while reading the
configuration, don't crash (static analysis). In some cases,
this means we proceed with garbage data until the copy_config()
function sanity-checks its input and output.
|
|
|
|
|
| |
If we hit out-of-memory (strdup() failures) while reading the
configuration, don't crash (static analysis).
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
On domain or map removal, fill in gaps in the list of domains or maps
correctly.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Don't bother memmove()ing a 0-byte chunk of data. Found by static
analysis.
|
|
|
|
|
| |
map_data_set_entry() passes pointers to the lengths of the key and the value
to map_data_save_list() which interpretes them as arrays of integers.
|
|
|
|
|
|
|
| |
If the NIS server encounters an EPIPE while attempting to communicate
with the portmapper, try to reconnect before giving up on registering.
Depending on which RPC implementation is used, rpcbind may drop idle
clients after 30 seconds, and our startup can take longer than that.
|
| |
|
|
|
|
|
|
| |
Log errors encountered while talking to portmap/rpcbind at level
SLAPI_LOG_FATAL rather than at the previous SLAPI_LOG_PLUGIN, so that
they show up even when we're not actively debugging.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add {nis,schema-compat}-ignore-subtree (subtrees under which we ignore
contents and updates )and {nis,schema-compat}-restrict-subtree (subtrees
out of which we ignore contents and updates, if set) settings, and
default the former to "cn=tasks,cn=config".
This should avoid cases where we're looking through the ldbm backend for
entries which have a dangling reference to a newly-added task (which,
because it's in the DSE, means we acquire an ldbm lock after acquiring
our internal lock) while also updating a compat entry after its source
entry is modified (for example, by the memberOf plugin, which results in
us attempting to acquire our lock while the ldbm lock is already held).
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a schema-compat-relevant-subtree configuration option, listing the
only parts of the DIT that we should ever look at, either as source
entries or as other entries which contain data which might be pulled in
as part of computing the contents of compat entries.
This is more or less the whitelist to schema-compat-ignore-subtree's
blacklist.
|
|
|
|
|
|
|
| |
Add a schema-compat-ignore-subtree configuration option, listing parts
of the DIT that we should never look at, neither as source entries nor
as random other entries which contain data which might be pulled in as
part of computing the contents of compat entries.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Use the amount of data that we could have read as the upper bound on
reasonable-looking request lengths.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Break out a backend_make_user_entry_from_nsswitch_passwd function for
converting a passwd structure to an entry, and rename the helper for
groups to match it.
|
| |
|