summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-10-09 15:22:53 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-10-17 13:45:44 +0200
commitd9059ad391cc73ad91893c3eab509d08699d5aba (patch)
tree34518dc1085578c15eff447812bdf42defcfb50a
parent222f2484ea37c8bd434184ccd38160fb58c8087f (diff)
downloadsssd-d9059ad391cc73ad91893c3eab509d08699d5aba.tar.gz
sssd-d9059ad391cc73ad91893c3eab509d08699d5aba.tar.xz
sssd-d9059ad391cc73ad91893c3eab509d08699d5aba.zip
idmap: allow ranges with external mapping to overlap
If POSIX IDs are managed externally e.g. by AD it might be possible that the IDs are centrally manages for the whole forest. Hence there might not be a single ID range for each member domain in the forest but only a single ID range for the whole forest. This means that we have to allow collisions if ID ranges in this case. Unit tests are added to make sure that the collisions are only allowed for external mappings.
-rw-r--r--src/lib/idmap/sss_idmap.c12
-rw-r--r--src/tests/sss_idmap-tests.c64
2 files changed, 71 insertions, 5 deletions
diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c
index 89c55fc95..17bd5779e 100644
--- a/src/lib/idmap/sss_idmap.c
+++ b/src/lib/idmap/sss_idmap.c
@@ -357,11 +357,13 @@ static enum idmap_error_code dom_check_collision(
/* TODO: if both ranges have the same ID check if an update is
* needed. */
- /* check if ID ranges overlap */
- if ((new_dom->range->min >= dom->range->min
- && new_dom->range->min <= dom->range->max)
- || (new_dom->range->max >= dom->range->min
- && new_dom->range->max <= dom->range->max)) {
+ /* Check if ID ranges overlap.
+ * ID ranges with external mapping may overlap. */
+ if ((!new_dom->external_mapping && !dom->external_mapping)
+ && ((new_dom->range->min >= dom->range->min
+ && new_dom->range->min <= dom->range->max)
+ || (new_dom->range->max >= dom->range->min
+ && new_dom->range->max <= dom->range->max))) {
return IDMAP_COLLISION;
}
diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c
index eb204137a..65e61351d 100644
--- a/src/tests/sss_idmap-tests.c
+++ b/src/tests/sss_idmap-tests.c
@@ -29,6 +29,9 @@
#define IDMAP_RANGE_MIN 1234
#define IDMAP_RANGE_MAX 9876
+#define IDMAP_RANGE_MIN2 11234
+#define IDMAP_RANGE_MAX2 19876
+
const char test_sid[] = "S-1-5-21-2127521184-1604012920-1887927527-72713";
uint8_t test_bin_sid[] = {0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15,
0x00, 0x00, 0x00, 0xA0, 0x65, 0xCF, 0x7E, 0x78, 0x4B,
@@ -142,6 +145,65 @@ START_TEST(idmap_test_add_domain)
}
END_TEST
+START_TEST(idmap_test_add_domain_collisions)
+{
+ enum idmap_error_code err;
+ struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX};
+ struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2};
+
+ err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", &range);
+ fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed.");
+
+ err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-4",
+ &range2);
+ fail_unless(err == IDMAP_COLLISION,
+ "sss_idmap_add_domain added domain with the same name.");
+
+ err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3",
+ &range2);
+ fail_unless(err == IDMAP_COLLISION,
+ "sss_idmap_add_domain added domain with the same SID.");
+
+ err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4",
+ &range);
+ fail_unless(err == IDMAP_COLLISION,
+ "sss_idmap_add_domain added domain with the same range.");
+
+ err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4",
+ &range2);
+ fail_unless(err == IDMAP_SUCCESS,
+ "sss_idmap_add_domain failed to add second domain.");
+}
+END_TEST
+
+START_TEST(idmap_test_add_domain_collisions_ext_mapping)
+{
+ enum idmap_error_code err;
+ struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX};
+ struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2};
+
+ err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-3",
+ &range, NULL, 0, true);
+ fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed.");
+
+ err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-4",
+ &range2, NULL, 0, true);
+ fail_unless(err == IDMAP_COLLISION,
+ "sss_idmap_add_domain added domain with the same name.");
+
+ err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3",
+ &range2, NULL, 0, true);
+ fail_unless(err == IDMAP_COLLISION,
+ "sss_idmap_add_domain added domain with the same SID.");
+
+ err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4",
+ &range, NULL, 0, true);
+ fail_unless(err == IDMAP_SUCCESS,
+ "sss_idmap_add_domain failed to add second domain with " \
+ "external mapping and the same range.");
+}
+END_TEST
+
START_TEST(idmap_test_sid2uid)
{
enum idmap_error_code err;
@@ -510,6 +572,8 @@ Suite *idmap_test_suite (void)
idmap_ctx_teardown);
tcase_add_test(tc_dom, idmap_test_add_domain);
+ tcase_add_test(tc_dom, idmap_test_add_domain_collisions);
+ tcase_add_test(tc_dom, idmap_test_add_domain_collisions_ext_mapping);
suite_add_tcase(s, tc_dom);