summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2015-04-28 17:18:48 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-05-06 11:05:17 +0200
commitbfddefd70248d90a0478f4a406bfe40a94f2cd8d (patch)
tree098f12abe8c6053e769f30ab46694d2c58dd8362
parent51612e398f198596fe72926dcf0b82f53c0f4d5c (diff)
downloadsssd-bfddefd70248d90a0478f4a406bfe40a94f2cd8d.tar.gz
sssd-bfddefd70248d90a0478f4a406bfe40a94f2cd8d.tar.xz
sssd-bfddefd70248d90a0478f4a406bfe40a94f2cd8d.zip
IPA: do initgroups if extdom exop supports it
Newer versions of the extdom plugin return the full list of group-memberships during a user lookup request. With these version there is no need to reject a initgroups request for sub/trusted-domain users anymore. This is e.g. useful for callers which call getgrouplist() directly without calling getpwnam() before. Additionally it helps if for some reasons the lifetime of the user entry and the lifetime of the initgroups data is different. Related to https://fedorahosted.org/sssd/ticket/2633 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727) (cherry picked from commit 24905d4ecbf210687e385449448f5a5ec97d2833)
Diffstat
-rw-r--r--src/providers/ipa/ipa_s2n_exop.c3
-rw-r--r--src/providers/ipa/ipa_subdomains.h4
-rw-r--r--src/providers/ipa/ipa_subdomains_id.c24
3 files changed, 21 insertions, 10 deletions
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index d07923cff..3830a2b4b 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -50,9 +50,6 @@ enum response_types {
};
/* ==Sid2Name Extended Operation============================================= */
-#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
-#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
-
struct ipa_s2n_exop_state {
struct sdap_handle *sh;
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
index ceb862226..9b179792d 100644
--- a/src/providers/ipa/ipa_subdomains.h
+++ b/src/providers/ipa/ipa_subdomains.h
@@ -28,6 +28,10 @@
#include "providers/dp_backend.h"
#include "providers/ipa/ipa_common.h"
+/* ==Sid2Name Extended Operation============================================= */
+#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
+#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
+
struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx);
const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 15776d2e1..1253510dc 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -386,14 +386,8 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx,
case BE_REQ_GROUP:
case BE_REQ_BY_SECID:
case BE_REQ_USER_AND_GROUP:
- ret = EOK;
- break;
case BE_REQ_INITGROUPS:
- ret = ENOTSUP;
- DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
- "by the IPA provider but are resolved " \
- "by the responder directly from the " \
- "cache.\n");
+ ret = EOK;
break;
default:
ret = EINVAL;
@@ -434,6 +428,22 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq)
return;
}
+ if (state->entry_type == BE_REQ_INITGROUPS) {
+ /* With V1 of the extdom plugin a user lookup will resolve the full
+ * group membership of the user. */
+ if (sdap_is_extension_supported(sdap_id_op_handle(state->op),
+ EXOP_SID2NAME_V1_OID)) {
+ state->entry_type = BE_REQ_USER;
+ } else {
+ DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
+ "by the IPA provider but are resolved " \
+ "by the responder directly from the " \
+ "cache.\n");
+ tevent_req_error(req, ENOTSUP);
+ return;
+ }
+ }
+
req_input = talloc(state, struct req_input);
if (req_input == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
generated by cgit (git 2.34.1) at 2024-04-18 22:08:33 +0000