IPA: resolve IPA group-memberships for AD users

So far only for initgroups requests the IPA group memberships where resolved for AD users and due to 6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not overridden by other request. But it turned out that the originalMemberOf attributes related to the IPA group memberships can be overridden by user lookups. Since the originalMemberOf attribute is important in the HBAC evaluation this patch makes sure that the originalMemberOf attribute is not removed but updated during user lookups. Related to https://fedorahosted.org/sssd/ticket/2560 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 63748c69a2c6785d949c82f94749704e0408e5a7)
author: Sumit Bose <sbose@redhat.com> 2015-01-22 21:20:25 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-01-26 23:44:05 +0100
commit: e6aeb257e5b7d704530ce079c6e0ab9da1d5c139 (patch)
tree: 4e28ae72700e194924579e433c66584022e45c7f
parent: 6992f203c2b37d130287eae11f3929d0000e6d44 (diff)
download: sssd-e6aeb257e5b7d704530ce079c6e0ab9da1d5c139.tar.gz
sssd-e6aeb257e5b7d704530ce079c6e0ab9da1d5c139.tar.xz
sssd-e6aeb257e5b7d704530ce079c6e0ab9da1d5c139.zip
2 files changed, 44 insertions, 3 deletions
diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index 6feca44de..b9690bdb6 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -452,7 +452,8 @@ struct tevent_req *ipa_get_ad_memberships_send(TALLOC_CTX *mem_ctx,
     state->domain = domain;
     state->dp_error = -1;
 
-    if ((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
+    if (((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
+            && (ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_USER)
             || ar->filter_type != BE_FILTER_NAME) {
         DEBUG(SSSDBG_OP_FAILURE, "Unsupported request type.\n");
         ret = EINVAL;
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 79285548d..c8714a216 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -1099,6 +1099,8 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
                                                 struct ipa_get_ad_acct_state);
     errno_t ret;
     struct tevent_req *subreq;
+    const char *obj_name;
+    int entry_type;
 
     if (state->override_attrs != NULL) {
         /* We are in ipa-server-mode, so the view is the default view by
@@ -1112,13 +1114,51 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
         }
     }
 
-    if ((state->ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS) {
+    entry_type = (state->ar->entry_type & BE_REQ_TYPE_MASK);
+    if (entry_type != BE_REQ_INITGROUPS
+            && entry_type != BE_REQ_USER
+            && entry_type != BE_REQ_BY_SECID) {
         tevent_req_done(req);
         return EOK;
     }
 
+    /* Replace ID with name in search filter */
+    if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM)
+            || entry_type == BE_REQ_BY_SECID) {
+        if (state->obj_msg == NULL) {
+            ret = get_object_from_cache(state, state->obj_dom, state->ar,
+                                        &state->obj_msg);
+            if (ret == ENOENT) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      "Object not found, ending request\n");
+                tevent_req_done(req);
+                return EOK;
+            } else if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n");
+                return ret;
+            }
+        }
+
+        obj_name = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_NAME,
+                                               NULL);
+        if (obj_name == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Cached object has no name.\n");
+            return EINVAL;
+        }
+
+        state->ar->filter_value = talloc_strdup(state->ar, obj_name);
+        if (state->ar->filter_value == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
+            return ENOMEM;
+        }
+        state->ar->filter_type = BE_FILTER_NAME;
+        state->ar->entry_type = BE_REQ_USER;
+    }
+
+
     /* For initgroups request we have to check IPA group memberships of AD
-     * users. */
+     * users. This has to be done for other user-request as well to make sure
+     * IPA related attributes are not overwritten. */
     subreq = ipa_get_ad_memberships_send(state, state->ev, state->ar,
                                          state->ipa_ctx->server_mode,
                                          state->obj_dom,
author	Sumit Bose <sbose@redhat.com>	2015-01-22 21:20:25 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-01-26 23:44:05 +0100
commit	e6aeb257e5b7d704530ce079c6e0ab9da1d5c139 (patch)
tree	4e28ae72700e194924579e433c66584022e45c7f
parent	6992f203c2b37d130287eae11f3929d0000e6d44 (diff)
download	sssd-e6aeb257e5b7d704530ce079c6e0ab9da1d5c139.tar.gz sssd-e6aeb257e5b7d704530ce079c6e0ab9da1d5c139.tar.xz sssd-e6aeb257e5b7d704530ce079c6e0ab9da1d5c139.zip