summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2011-05-27 07:33:09 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-06-02 14:07:45 -0400
commit00142aba00a2adcf32f0741b8ea8a31c5a461675 (patch)
tree5d99db7d533d49b3f1255af421479171d5702907
parentace07a7d75c5a7c3f5613e5349fa8c1ffd05863a (diff)
downloadsssd-00142aba00a2adcf32f0741b8ea8a31c5a461675.tar.gz
sssd-00142aba00a2adcf32f0741b8ea8a31c5a461675.tar.xz
sssd-00142aba00a2adcf32f0741b8ea8a31c5a461675.zip
Non-posix group processing - ldap provider and nss responder
-rw-r--r--src/providers/ldap/ldap_id_cleanup.c24
-rw-r--r--src/providers/ldap/sdap_async_accounts.c83
-rw-r--r--src/responder/nss/nsssrv_cmd.c14
3 files changed, 90 insertions, 31 deletions
diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c
index 7f7a02c64..d31dace55 100644
--- a/src/providers/ldap/ldap_id_cleanup.c
+++ b/src/providers/ldap/ldap_id_cleanup.c
@@ -395,6 +395,7 @@ static int cleanup_groups(TALLOC_CTX *memctx,
size_t u_count;
int ret;
int i;
+ const char *posix;
tmpctx = talloc_new(memctx);
if (!tmpctx) {
@@ -433,19 +434,18 @@ static int cleanup_groups(TALLOC_CTX *memctx,
goto done;
}
- gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
- if (!gid) {
- DEBUG(2, ("Entry has no GID\n"));
- ret = EIO;
- goto done;
+ posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL);
+ if (!posix || strcmp(posix, "TRUE") == 0) {
+ /* Search for users that are members of this group, or
+ * that have this group as their primary GID
+ */
+ gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
+ subfilter = talloc_asprintf(tmpctx, "(|(%s=%s)(%s=%lu))",
+ SYSDB_MEMBEROF, dn,
+ SYSDB_GIDNUM, (long unsigned) gid);
+ } else {
+ subfilter = talloc_asprintf(tmpctx, "(%s=%s)", SYSDB_MEMBEROF, dn);
}
-
- /* Search for users that are members of this group, or
- * that have this group as their primary GID
- */
- subfilter = talloc_asprintf(tmpctx, "(|(%s=%s)(%s=%lu))",
- SYSDB_MEMBEROF, dn,
- SYSDB_GIDNUM, (long unsigned) gid);
if (!subfilter) {
DEBUG(2, ("Failed to build filter\n"));
ret = ENOMEM;
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
index 13311642c..a8f95fdd1 100644
--- a/src/providers/ldap/sdap_async_accounts.c
+++ b/src/providers/ldap/sdap_async_accounts.c
@@ -679,6 +679,7 @@ static int sdap_save_group(TALLOC_CTX *memctx,
int ret;
char *usn_value = NULL;
TALLOC_CTX *tmpctx = NULL;
+ bool posix_group;
tmpctx = talloc_new(memctx);
if (!tmpctx) {
@@ -700,6 +701,19 @@ static int sdap_save_group(TALLOC_CTX *memctx,
goto fail;
}
+ ret = sysdb_attrs_get_bool(attrs, SYSDB_POSIX, &posix_group);
+ if (ret == ENOENT) {
+ posix_group = true;
+ } else if (ret != EOK) {
+ goto fail;
+ }
+
+ DEBUG(8, ("This is%s a posix group\n", (posix_group)?"":" not"));
+ ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, posix_group);
+ if (ret != EOK) {
+ goto fail;
+ }
+
ret = sysdb_attrs_get_uint32_t(attrs,
opts->group_map[SDAP_AT_GROUP_GID].sys_name,
&gid);
@@ -711,7 +725,8 @@ static int sdap_save_group(TALLOC_CTX *memctx,
}
/* check that the gid is valid for this domain */
- if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
+ if ((posix_group || gid != 0) &&
+ OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
DEBUG(2, ("Group [%s] filtered out! (id out of range)\n",
name));
ret = EINVAL;
@@ -2055,6 +2070,7 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
gid_t gid;
int ret;
bool in_transaction = false;
+ bool posix;
/* There are no groups in LDAP but we should add user to groups ?? */
if (ldap_groups_count == 0) return EOK;
@@ -2114,11 +2130,15 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
}
if (strcmp(name, missing[i]) == 0) {
+ posix = true;
ret = sysdb_attrs_get_uint32_t(ldap_groups[ai],
SYSDB_GIDNUM,
&gid);
- if (ret) {
- DEBUG(1, ("The GID attribute is missing or malformed\n"));
+ if (ret == ENOENT) {
+ gid = 0;
+ posix = false;
+ } else if (ret) {
+ DEBUG(1, ("The GID attribute is malformed\n"));
goto fail;
}
@@ -2132,7 +2152,7 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
DEBUG(8, ("Adding fake group %s to sysdb\n", name));
ret = sysdb_add_incomplete_group(sysdb, dom, name,
- gid, original_dn);
+ gid, original_dn, posix);
if (ret != EOK) {
goto fail;
}
@@ -2468,10 +2488,9 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
return NULL;
}
- state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*)(%s=*))",
+ state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*))",
opts->group_map[SDAP_OC_GROUP].name,
- opts->group_map[SDAP_AT_GROUP_NAME].name,
- opts->group_map[SDAP_AT_GROUP_GID].name);
+ opts->group_map[SDAP_AT_GROUP_NAME].name);
if (!state->filter) {
talloc_zfree(req);
return NULL;
@@ -3344,6 +3363,7 @@ static struct tevent_req *sdap_nested_group_process_send(
const char *groupname;
hash_key_t key;
hash_value_t value;
+ gid_t gid;
req = tevent_req_create(mem_ctx, &state, struct sdap_nested_group_ctx);
if (!req) {
@@ -3392,6 +3412,28 @@ static struct tevent_req *sdap_nested_group_process_send(
goto immediate;
}
+ ret = sysdb_attrs_get_uint32_t(group,
+ opts->group_map[SDAP_AT_GROUP_GID].name,
+ &gid);
+ if (ret == ENOENT) {
+ DEBUG(8, ("Marking group as non-posix and setting GID=0!\n"));
+ ret = sysdb_attrs_add_uint32(group,
+ opts->group_map[SDAP_AT_GROUP_GID].name,
+ 0);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to add a GID to non-posix group!\n"));
+ goto immediate;
+ }
+
+ ret = sysdb_attrs_add_bool(group, SYSDB_POSIX, false);
+ if (ret != EOK) {
+ DEBUG(2, ("Error: Failed to mark group as non-posix!\n"));
+ goto immediate;
+ }
+ } else if (ret) {
+ goto immediate;
+ }
+
value.type = HASH_VALUE_PTR;
value.ptr = talloc_steal(groups, group);
@@ -4002,10 +4044,9 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
}
filter = talloc_asprintf(
- sdap_attrs, "(&(objectclass=%s)(%s=*)(%s=*))",
+ sdap_attrs, "(&(objectclass=%s)(%s=*))",
state->opts->group_map[SDAP_OC_GROUP].name,
- state->opts->group_map[SDAP_AT_GROUP_NAME].name,
- state->opts->group_map[SDAP_AT_GROUP_GID].name);
+ state->opts->group_map[SDAP_AT_GROUP_NAME].name);
if (!filter) {
talloc_free(sdap_attrs);
return ENOMEM;
@@ -4370,6 +4411,7 @@ sdap_nested_group_process_deref_result(struct tevent_req *req)
const char *orig_dn;
errno_t ret;
struct sdap_deref_ctx *dctx = state->derefctx;
+ const char *tmp_name;
while (dctx->result_index < dctx->num_results) {
if (dctx->deref_result[dctx->result_index]->map == \
@@ -4399,6 +4441,15 @@ sdap_nested_group_process_deref_result(struct tevent_req *req)
dctx->result_index++;
} else if (dctx->deref_result[dctx->result_index]->map == \
state->opts->group_map) {
+ ret = sysdb_attrs_get_string(dctx->deref_result[dctx->result_index]->attrs,
+ state->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ &tmp_name);
+ if (ret == ENOENT) {
+ DEBUG(7, ("Dereferenced a group without name, skipping ...\n"));
+ } else if (ret) {
+ return EIO;
+ }
+
DEBUG(6, ("Recursing down a nested group\n"));
subreq = sdap_nested_group_process_send(state, state->ev,
state->domain, state->sysdb,
@@ -4505,12 +4556,11 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
return NULL;
}
- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
opts->group_map[SDAP_OC_GROUP].name,
- opts->group_map[SDAP_AT_GROUP_NAME].name,
- opts->group_map[SDAP_AT_GROUP_GID].name);
+ opts->group_map[SDAP_AT_GROUP_NAME].name);
if (!filter) {
talloc_zfree(req);
return NULL;
@@ -4706,6 +4756,7 @@ errno_t save_rfc2307bis_user_memberships(
goto error;
}
+ DEBUG(8, ("Updating memberships for %s\n", state->name));
ret = sysdb_update_members(state->sysdb, state->dom, state->name,
SYSDB_MEMBER_USER,
(const char *const *)add_groups,
@@ -4916,12 +4967,11 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
}
filter = talloc_asprintf(
- tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*))",
state->opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
state->opts->group_map[SDAP_OC_GROUP].name,
- state->opts->group_map[SDAP_AT_GROUP_NAME].name,
- state->opts->group_map[SDAP_AT_GROUP_GID].name);
+ state->opts->group_map[SDAP_AT_GROUP_NAME].name);
if (!filter) {
ret = ENOMEM;
goto error;
@@ -5200,6 +5250,7 @@ static errno_t rfc2307bis_nested_groups_update_sysdb(
talloc_free(ldap_grouplist);
talloc_free(sysdb_grouplist);
+ DEBUG(8, ("Updating memberships for %s\n", name));
ret = sysdb_update_members(state->sysdb, state->dom, name,
SYSDB_MEMBER_GROUP,
(const char *const *)add_groups,
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 74c56a311..db7edd023 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -2922,6 +2922,8 @@ static int fill_initgr(struct sss_packet *packet, struct ldb_result *res)
size_t blen;
gid_t gid;
int ret, i, num;
+ int skipped = 0;
+ const char *posix;
if (res->count == 0) {
return ENOENT;
@@ -2939,14 +2941,20 @@ static int fill_initgr(struct sss_packet *packet, struct ldb_result *res)
/* skip first entry, it's the user entry */
for (i = 0; i < num; i++) {
gid = ldb_msg_find_attr_as_uint64(res->msgs[i + 1], SYSDB_GIDNUM, 0);
+ posix = ldb_msg_find_attr_as_string(res->msgs[i + 1], SYSDB_POSIX, NULL);
if (!gid) {
- DEBUG(1, ("Incomplete group object for initgroups! Aborting\n"));
- return EFAULT;
+ if (posix && strcmp(posix, "FALSE") == 0) {
+ skipped++;
+ continue;
+ } else {
+ DEBUG(1, ("Incomplete group object for initgroups! Aborting\n"));
+ return EFAULT;
+ }
}
((uint32_t *)body)[2 + i] = gid;
}
- ((uint32_t *)body)[0] = num; /* num results */
+ ((uint32_t *)body)[0] = num-skipped; /* num results */
((uint32_t *)body)[1] = 0; /* reserved */
return EOK;