diff options
| author | Pavel Březina <pbrezina@redhat.com> | 2015-11-10 11:34:14 +0100 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2015-12-15 16:27:08 +0100 |
| commit | c0000a8cc9eccdf5cd8dd72fd6e9bc09d8c7cf00 (patch) | |
| tree | 20fb404e01530509307f82f1690dc11b423eaecc | |
| parent | 1ab2b07c71da6c19c3855e390d10156d598c06a2 (diff) | |
| download | sssd-c0000a8cc9eccdf5cd8dd72fd6e9bc09d8c7cf00.tar.gz sssd-c0000a8cc9eccdf5cd8dd72fd6e9bc09d8c7cf00.tar.xz sssd-c0000a8cc9eccdf5cd8dd72fd6e9bc09d8c7cf00.zip | |
SUDO: do not imitate full refresh if usn is unknown in smart refresh
USN value should be always known now if at least one full refresh
was successful.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
| -rw-r--r-- | src/providers/ldap/sdap_async_sudo.c | 23 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_sudo_refresh.c | 20 |
2 files changed, 23 insertions, 20 deletions
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c index bbc55a9ac..b8310275b 100644 --- a/src/providers/ldap/sdap_async_sudo.c +++ b/src/providers/ldap/sdap_async_sudo.c @@ -305,13 +305,24 @@ static void sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, char *usn) unsigned int usn_number; char *endptr = NULL; - if (usn == NULL) { - DEBUG(SSSDBG_TRACE_FUNC, "Empty USN, ignoring\n"); + if (srv_opts == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Bug: srv_opts is NULL\n"); return; } - if (srv_opts == NULL) { - DEBUG(SSSDBG_TRACE_FUNC, "Bug: srv_opts is NULL\n"); + if (usn == NULL) { + /* If the USN value is unknown and we don't have max_sudo_value set + * (possibly first full refresh which did not find any rule) we will + * set zero so smart refresh can pick up. */ + if (srv_opts->max_sudo_value == NULL) { + srv_opts->max_sudo_value = talloc_strdup(srv_opts, "0"); + if (srv_opts->max_sudo_value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + } + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Empty USN, ignoring\n"); return; } @@ -689,9 +700,7 @@ static void sdap_sudo_refresh_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfuly stored in cache\n"); /* remember new usn */ - if (usn != NULL) { - sdap_sudo_set_usn(state->srv_opts, usn); - } + sdap_sudo_set_usn(state->srv_opts, usn); ret = EOK; state->num_rules = rules_count; diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c index 8c1323831..e3df8f1c5 100644 --- a/src/providers/ldap/sdap_sudo_refresh.c +++ b/src/providers/ldap/sdap_sudo_refresh.c @@ -182,7 +182,7 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, } if (!sudo_ctx->full_refresh_done - && (srv_opts == NULL || srv_opts->max_sudo_value == 0)) { + || srv_opts == NULL || srv_opts->max_sudo_value == NULL) { /* Perform full refresh first */ DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, " "waiting for full refresh!\n"); @@ -195,17 +195,11 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, /* Download all rules from LDAP that are newer than usn */ usn = srv_opts->max_sudo_value; - if (usn != NULL) { - search_filter = talloc_asprintf(state, - "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", - map[SDAP_OC_SUDORULE].name, - map[SDAP_AT_SUDO_USN].name, usn, - map[SDAP_AT_SUDO_USN].name, usn); - } else { - /* no valid USN value known */ - search_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS, - map[SDAP_OC_SUDORULE].name); - } + search_filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))", + map[SDAP_OC_SUDORULE].name, + map[SDAP_AT_SUDO_USN].name, usn, + map[SDAP_AT_SUDO_USN].name, usn); if (search_filter == NULL) { ret = ENOMEM; goto immediately; @@ -215,7 +209,7 @@ struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, * sysdb_filter = NULL; */ DEBUG(SSSDBG_TRACE_FUNC, "Issuing a smart refresh of sudo rules " - "(USN > %s)\n", (usn == NULL ? "0" : usn)); + "(USN > %s)\n", usn); subreq = sdap_sudo_refresh_send(state, sudo_ctx, search_filter, NULL); if (subreq == NULL) { |