sssd.git/src/providers/ldap/sdap_async_groups.c, branch pwrap sssd with jhrozek's patches SDAP: fix minor memory leak 2015-10-02T10:50:37+00:00 Pavel Reichl preichl@redhat.com 2015-09-04T11:04:10+00:00 3fa03d5816d6a401d8e894b77236d3cfd95dbd96 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: Filter out multiple entries when searching overlapping domains 2015-09-22T11:46:02+00:00 Jakub Hrozek jhrozek@redhat.com 2015-09-04T16:45:45+00:00 fb83de0699b16e7d8eca803305e2112795807b4c In case domain overlap, we might download multiple objects. To avoid saving them all, we attempt to filter out the objects from foreign domains. We can only do this optimization for non-wildcard lookups. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
In case domain overlap, we might download multiple objects. To avoid
saving them all, we attempt to filter out the objects from foreign
domains.

We can only do this optimization for non-wildcard lookups.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domains 2015-09-22T11:45:50+00:00 Jakub Hrozek jhrozek@redhat.com 2015-07-21T19:00:27+00:00 67625b1b4f856510bf4e169649b3fb30c2c14152 https://fedorahosted.org/sssd/ticket/2723 In case there are overlapping sdap domains, a search for a single user might match and return multiple entries. For instance, with AD domains represented by search bases: DC=win,DC=trust,DC=test DC=child,DC=win,DC=trust,DC=test A search for user from win.trust.test would be based at: DC=win,DC=trust,DC=test but would match both search bases and return both users. Instead of performing complex filtering, just save both users. The responder would select the entry that matches the user's search. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
https://fedorahosted.org/sssd/ticket/2723

In case there are overlapping sdap domains, a search for a single user
might match and return multiple entries. For instance, with AD domains
represented by search bases:
    DC=win,DC=trust,DC=test
    DC=child,DC=win,DC=trust,DC=test

A search for user from win.trust.test would be based at:
    DC=win,DC=trust,DC=test
but would match both search bases and return both users.

Instead of performing complex filtering, just save both users. The
responder would select the entry that matches the user's search.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
LDAP: Add the wildcard_limit option 2015-07-15T15:32:46+00:00 Jakub Hrozek jhrozek@redhat.com 2015-06-17T14:13:51+00:00 b9e74a747b8f1012bba3575f3e4289ef4877d64a Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related:
    https://fedorahosted.org/sssd/ticket/2553

Adds a new wildcard_limit option that is set by default to 1000 (one
page). This option limits the number of entries that can by default be
returned by a wildcard search.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: Add sdap_lookup_type enum 2015-07-15T15:32:43+00:00 Jakub Hrozek jhrozek@redhat.com 2015-05-08T12:49:09+00:00 1f2fc55ecf7b5e170b2c0752304d1a2ecebc5259 Related: https://fedorahosted.org/sssd/ticket/2553 Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send to a tri-state that controls whether we expect only a single entry (ie don't use the paging control), multiple entries with a search limit (wildcard request) or multiple entries with no limit (enumeration). Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related:
    https://fedorahosted.org/sssd/ticket/2553

Change the boolan parameter of sdap_get_users_send and sdap_get_groups_send
to a tri-state that controls whether we expect only a single entry
(ie don't use the paging control), multiple entries with a search limit
(wildcard request) or multiple entries with no limit (enumeration).

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
LDAP: Use sdap_get_and_parse_generic_/_recv 2015-07-15T15:32:40+00:00 Jakub Hrozek jhrozek@redhat.com 2015-05-04T14:33:37+00:00 5b2ca5cc0e22dd184e3eba84af2c00d7065c59c7 Related: https://fedorahosted.org/sssd/ticket/2553 Using the new request sdap_get_and_parse_generic_send is a separate commit so that we can audit where the function is used during a code review. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related:
    https://fedorahosted.org/sssd/ticket/2553

Using the new request sdap_get_and_parse_generic_send is a separate
commit so that we can audit where the function is used during a code
review.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SDAP: use DN to update entry 2015-05-11T17:17:22+00:00 Sumit Bose sbose@redhat.com 2015-03-12T11:46:31+00:00 305267064a9d8c86536fcd5c92c1c9cb3e7df268 sdap_nested_group_populate_users() has code to handle user name changes. It updates the SYSDB_NAME attribute. This attribute is also used in the RDN but changing the attribute in the object does not change the DN hence the DN still contains the old name. Currently sysdb_set_user_attr() was used to update the entry which creates the DN based on the give name. This will fail if the name is changed for a second time. Since the DN is already available in the search result it is more reliable to use it directly with sysdb_set_entry_attr(). Related to https://fedorahosted.org/sssd/ticket/2591 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sdap_nested_group_populate_users() has code to handle user name changes.
It updates the SYSDB_NAME attribute. This attribute is also used in the
RDN but changing the attribute in the object does not change the DN
hence the DN still contains the old name. Currently
sysdb_set_user_attr() was used to update the entry which creates the DN
based on the give name. This will fail if the name is changed for a
second time. Since the DN is already available in the search result it
is more reliable to use it directly with sysdb_set_entry_attr().

Related to https://fedorahosted.org/sssd/ticket/2591

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SDAP: Extract filtering AD group to function 2015-04-14T11:13:23+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-13T07:44:35+00:00 bad2fc8133d941e5a6c8d8016c9689e039265c61 Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Patch remove code duplication.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SDAP: Do not set gid 0 twice 2015-04-14T11:13:16+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-10T12:33:35+00:00 5d864e7a9d0e1e6fb7dd8158c5b8bfb71040b908 The gid o was added to sysdb attrs directly in sdap_save_group for 1st time and for second time in the function sdap_store_group_with_gid, which was called every time from function sdap_save_group [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists](20)[attribute 'gidNumber': value #1 on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. [sysdb_store_group] (0x0400): Error: 17 (File exists) [sdap_store_group_with_gid] (0x0040): Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com [sdap_save_group] (0x0080): Could not store group with GID: [File exists] [sdap_save_group] (0x0080): Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
The gid o was added to sysdb attrs directly in sdap_save_group for 1st time
and for second time in the function sdap_store_group_with_gid,
which was called every time from function sdap_save_group

[sysdb_set_entry_attr] (0x0080): ldb_modify failed:
    [Attribute or value exists](20)[attribute 'gidNumber': value #1
    on 'name=domainlocalgroup1_dom2-493341@sssdad_tree.com,cn=groups,cn=sssdad_tree.com,cn=sysdb' provided more than once]
[sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
[sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
[sysdb_store_group] (0x0400): Error: 17 (File exists)
[sdap_store_group_with_gid] (0x0040):
    Could not store group domainlocalgroup1_dom2-493341@sssdad_tree.com
[sdap_save_group] (0x0080): Could not store group with GID: [File exists]
[sdap_save_group] (0x0080):
    Failed to save group [domainlocalgroup1_dom2-493341@sssdad_tree.com]: [File exists]
[sdap_save_groups] (0x0040): Failed to store group 0. Ignoring.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
LDAP: remove unused code 2015-03-23T06:47:09+00:00 Pavel Reichl preichl@redhat.com 2015-03-20T09:23:49+00:00 ef9ca5848ea08aafa0827f5d2922d49130ba324d Also fix debug message. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Also fix debug message.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>