diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-04-29 16:46:14 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-05-06 10:51:36 +0200 |
| commit | 3b00bcd8b6d53d33207005c4e7a631b6a241d300 (patch) | |
| tree | 6f00a1719e0b01e562201ea4ecca23c20da05eb1 | |
| parent | a4a447b7bf394ded65c8ae872832e7cd135425d1 (diff) | |
| download | sssd-3b00bcd8b6d53d33207005c4e7a631b6a241d300.tar.gz sssd-3b00bcd8b6d53d33207005c4e7a631b6a241d300.tar.xz sssd-3b00bcd8b6d53d33207005c4e7a631b6a241d300.zip | |
IPA: allow initgroups by UUID for FreeIPA users
If a FreeIPA user is searched with the help of an override name the UUID
from the override anchor is used to search the user. Currently the
initgroups request only allows searches by SID or name. With this patch
a UUID can be used as well.
Related to https://fedorahosted.org/sssd/ticket/2642
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 0f9c28eb52d2b45c8a97f709308dc11377831b8c)
| -rw-r--r-- | src/db/sysdb_search.c | 32 | ||||
| -rw-r--r-- | src/providers/data_provider.h | 1 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_id.c | 15 | ||||
| -rw-r--r-- | src/providers/ldap/ldap_id.c | 20 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async.h | 1 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 14 | ||||
| -rw-r--r-- | src/tests/sysdb-tests.c | 9 |
7 files changed, 64 insertions, 28 deletions
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index da0c6d90c..ccd8fa080 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1612,20 +1612,30 @@ errno_t sysdb_get_real_name(TALLOC_CTX *mem_ctx, if (res->count == 0) { ret = sysdb_search_user_by_upn(tmp_ctx, domain, name_or_upn_or_sid, NULL, &msg); - if (ret != EOK) { + if (ret == ENOENT) { + ret = sysdb_search_user_by_sid_str(tmp_ctx, domain, + name_or_upn_or_sid, NULL, &msg); if (ret == ENOENT) { - ret = sysdb_search_user_by_sid_str(tmp_ctx, domain, - name_or_upn_or_sid, NULL, - &msg); - } - - if (ret != EOK) { - /* User cannot be found in cache */ - DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", - name_or_upn_or_sid); - goto done; + ret = sysdb_search_object_by_uuid(tmp_ctx, domain, + name_or_upn_or_sid, NULL, + &res); + if (ret == EOK && res->count == 1) { + msg = res->msgs[0]; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_search_object_by_uuid did not return a " \ + "single result.\n"); + ret = ENOENT; + goto done; + } } } + if (ret != EOK) { + /* User cannot be found in cache */ + DEBUG(SSSDBG_OP_FAILURE, "Cannot find user [%s] in cache\n", + name_or_upn_or_sid); + goto done; + } } else if (res->count == 1) { msg = res->msgs[0]; } else { diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 89fb06a0d..5df493e9d 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -150,7 +150,6 @@ #define DP_SEC_ID_LEN (sizeof(DP_SEC_ID) - 1) #define EXTRA_NAME_IS_UPN "U" -#define EXTRA_NAME_IS_SID "S" #define EXTRA_INPUT_MAYBE_WITH_VIEW "V" /* AUTH related common data and functions */ diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c index ebf5f03b8..e3a7fffc3 100644 --- a/src/providers/ipa/ipa_id.c +++ b/src/providers/ipa/ipa_id.c @@ -555,6 +555,7 @@ struct ipa_id_get_account_info_state { struct sss_domain_info *domain; struct be_req *be_req; struct be_acct_req *ar; + struct be_acct_req *orig_ar; const char *realm; struct sysdb_attrs *override_attrs; @@ -733,13 +734,25 @@ static void ipa_id_get_account_info_got_override(struct tevent_req *subreq) if (strcmp(state->ar->domain, anchor_domain) == 0) { + state->orig_ar = state->ar; + ret = get_be_acct_req_for_uuid(state, ipa_uuid, state->ar->domain, &state->ar); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_sid failed.\n"); + DEBUG(SSSDBG_OP_FAILURE, "get_be_acct_req_for_uuid failed.\n"); goto fail; } + + if ((state->orig_ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_INITGROUPS) { + DEBUG(SSSDBG_TRACE_ALL, + "Switching back to BE_REQ_INITGROUPS.\n"); + state->ar->entry_type = BE_REQ_INITGROUPS; + state->ar->filter_type = BE_FILTER_UUID; + state->ar->attr_type = BE_ATTR_CORE; + } + } else { DEBUG(SSSDBG_MINOR_FAILURE, "Anchor from a different domain [%s], expected [%s]. " \ diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index c2686d249..63098a82e 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -964,6 +964,7 @@ struct groups_by_user_state { struct sss_domain_info *domain; const char *name; + int name_type; const char *extra_value; const char **attrs; @@ -982,6 +983,7 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, struct sdap_domain *sdom, struct sdap_id_conn_ctx *conn, const char *name, + int name_type, const char *extra_value, bool noexist_delete) { @@ -1007,6 +1009,7 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, } state->name = name; + state->name_type = name_type; state->extra_value = extra_value; state->domain = sdom->dom; state->sysdb = sdom->dom->sysdb; @@ -1069,6 +1072,7 @@ static void groups_by_user_connect_done(struct tevent_req *subreq) state->ctx, state->conn, state->name, + state->name_type, state->extra_value, state->attrs); if (!subreq) { @@ -1392,7 +1396,8 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, case BE_REQ_INITGROUPS: /* init groups for user */ if (ar->filter_type != BE_FILTER_NAME - && ar->filter_type != BE_FILTER_SECID) { + && ar->filter_type != BE_FILTER_SECID + && ar->filter_type != BE_FILTER_UUID) { ret = EINVAL; state->err = "Invalid filter type"; goto done; @@ -1402,21 +1407,12 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, state->err = "Invalid attr type"; goto done; } - if (ar->filter_type == BE_FILTER_SECID && ar->extra_value != NULL - && strcmp(ar->extra_value, EXTRA_NAME_IS_SID) != 0) { - DEBUG(SSSDBG_OP_FAILURE, - "Unexpected extra value [%s] for BE_FILTER_SECID.\n", - ar->extra_value); - ret = EINVAL; - state->err = "Invalid extra value"; - goto done; - } subreq = groups_by_user_send(state, be_ctx->ev, id_ctx, sdom, conn, ar->filter_value, - (ar->filter_type == BE_FILTER_SECID) - ? EXTRA_NAME_IS_SID : ar->extra_value, + ar->filter_type, + ar->extra_value, noexist_delete); break; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index ef9b3bbad..e9bfc5759 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -135,6 +135,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, struct sdap_id_ctx *id_ctx, struct sdap_id_conn_ctx *conn, const char *name, + int name_type, const char *extra_value, const char **grp_attrs); int sdap_get_initgr_recv(struct tevent_req *req); diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 5c5be5eab..4f775d76b 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2667,6 +2667,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, struct sdap_id_ctx *id_ctx, struct sdap_id_conn_ctx *conn, const char *name, + int name_type, const char *extra_value, const char **grp_attrs) { @@ -2716,10 +2717,17 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { search_attr = state->opts->user_map[SDAP_AT_USER_PRINC].name; - } else if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_SID) == 0) { - search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; } else { - search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; + switch (name_type) { + case BE_FILTER_SECID: + search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; + break; + case BE_FILTER_UUID: + search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name; + break; + default: + search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; + } } state->user_base_filter = diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index 0185beeaf..450a9d1d6 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -3581,6 +3581,10 @@ START_TEST(test_sysdb_get_real_name) "S-1-5-21-123-456-789-111"); fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + ret = sysdb_attrs_add_string(user_attrs, SYSDB_UUID, + "12345678-9012-3456-7890-123456789012"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + ret = sysdb_store_user(test_ctx->domain, "RealName", NULL, 22345, 0, "gecos", "/home/realname", "/bin/bash", @@ -3604,6 +3608,11 @@ START_TEST(test_sysdb_get_real_name) fail_unless(strcmp(str, "RealName") == 0, "Expected [%s], got [%s].", "RealName", str); + ret = sysdb_get_real_name(test_ctx, test_ctx->domain, + "12345678-9012-3456-7890-123456789012", &str); + fail_unless(ret == EOK, "sysdb_get_real_name failed."); + fail_unless(strcmp(str, "RealName") == 0, "Expected [%s], got [%s].", + "RealName", str); } END_TEST |