summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-10-05 14:18:25 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-10-14 08:20:01 -0400
commit64e15adc53a8316277980ab8cee7d1f2227f1898 (patch)
treefb9ddb3e5ba5ec6cf33b61d91cd1cfef8624bacc
parent684d1b48b5582a1bf7812b8c3c663592dc6dfed9 (diff)
downloadsssd-64e15adc53a8316277980ab8cee7d1f2227f1898.tar.gz
sssd-64e15adc53a8316277980ab8cee7d1f2227f1898.tar.xz
sssd-64e15adc53a8316277980ab8cee7d1f2227f1898.zip
HBAC: Do not save member/memberOf links
We can just trust the values from the FreeIPA server
-rw-r--r--src/providers/ipa/ipa_hbac_common.c120
1 files changed, 0 insertions, 120 deletions
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index b37320a48..f4ed839fa 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -98,17 +98,8 @@ ipa_hbac_sysdb_save(struct sysdb_ctx *sysdb, struct sss_domain_info *domain,
const char *group_subdir, const char *groupattr_name,
size_t group_count, struct sysdb_attrs **groups)
{
- int lret;
errno_t ret, sret;
bool in_transaction = false;
- const char **orig_member_dns;
- size_t i, j, member_count;
- struct ldb_message **members;
- TALLOC_CTX *tmp_ctx = NULL;
- const char *member_dn;
- const char *group_id;
- struct ldb_message *msg;
- char *member_filter;
if ((primary_count == 0 || primary == NULL)
|| (group_count > 0 && groups == NULL)) {
@@ -149,117 +140,6 @@ ipa_hbac_sysdb_save(struct sysdb_ctx *sysdb, struct sss_domain_info *domain,
group_subdir, ret, strerror(ret)));
goto done;
}
-
- /* Third, save the memberships */
- for (i = 0; i < group_count; i++) {
- if (!groups[i]) {
- ret = EINVAL;
- goto done;
- }
-
- talloc_free(tmp_ctx);
- tmp_ctx = talloc_new(NULL);
- if (tmp_ctx == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_get_string(groups[i],
- groupattr_name,
- &group_id);
- if (ret != EOK) {
- DEBUG(1, ("Could not determine group attribute name\n"));
- goto done;
- }
-
- msg = ldb_msg_new(tmp_ctx);
- if (msg == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- msg->dn = sysdb_custom_dn(sysdb, msg, domain->name,
- group_id, group_subdir);
- if (msg->dn == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_attrs_get_string_array(groups[i],
- SYSDB_ORIG_MEMBER,
- tmp_ctx,
- &orig_member_dns);
-
- if (ret == EOK) {
- /* One or more members were detected, prep the LDB message */
- lret = ldb_msg_add_empty(msg, SYSDB_MEMBER, LDB_FLAG_MOD_ADD, NULL);
- if (lret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(lret);
- goto done;
- }
- } else if (ret == ENOENT) {
- /* Useless group, has no members */
- orig_member_dns = talloc_array(tmp_ctx, const char *, 1);
- if (!orig_member_dns) {
- ret = ENOMEM;
- goto done;
- }
-
- /* Just set the member list to zero length so we skip
- * processing it below
- */
- orig_member_dns[0] = NULL;
- } else {
- DEBUG(1, ("Could not determine original members\n"));
- goto done;
- }
-
- for (j = 0; orig_member_dns[j]; j++) {
- member_filter = talloc_asprintf(tmp_ctx, "%s=%s",
- SYSDB_ORIG_DN,
- orig_member_dns[j]);
- if (member_filter == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sysdb_search_custom(tmp_ctx, sysdb,
- member_filter, primary_subdir,
- NULL, &member_count, &members);
- talloc_zfree(member_filter);
- if (ret != EOK && ret != ENOENT) {
- goto done;
- } else if (ret == ENOENT || member_count == 0) {
- /* No member exists with this orig_dn. Skip it */
- DEBUG(6, ("[%s] does not exist\n", orig_member_dns[j]));
- continue;
- } else if (member_count > 1) {
- /* This probably means corruption in the cache, but
- * we'll try to proceed anyway.
- */
- DEBUG(1, ("More than one result for DN [%s], skipping\n"));
- continue;
- }
-
- member_dn = ldb_dn_get_linearized(members[0]->dn);
- if (!member_dn) {
- ret = ENOMEM;
- goto done;
- }
- lret = ldb_msg_add_fmt(msg, SYSDB_MEMBER, "%s", member_dn);
- if (lret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(lret);
- goto done;
- }
- }
-
- lret = ldb_modify(sysdb_ctx_get_ldb(sysdb), msg);
- if (lret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(lret);
- goto done;
- }
- }
- talloc_zfree(tmp_ctx);
}
ret = sysdb_transaction_commit(sysdb);