diff options
| author | Simo Sorce <simo@redhat.com> | 2012-11-16 20:25:42 +0000 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-19 15:30:57 +0100 |
| commit | 9342c9bfb794bde7c54928d73cb41d33e3b4917f (patch) | |
| tree | 0a693041fd96efdbb84c1dfb789c54d0fd6a4b6a /src/db | |
| parent | 39d3e4a184fc64c252ea276e1319ed6377d245ff (diff) | |
| download | sssd-9342c9bfb794bde7c54928d73cb41d33e3b4917f.tar.gz sssd-9342c9bfb794bde7c54928d73cb41d33e3b4917f.tar.xz sssd-9342c9bfb794bde7c54928d73cb41d33e3b4917f.zip | |
Refactor the way subdomain accounts are saved
The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.
One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.
In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.
Diffstat (limited to 'src/db')
| -rw-r--r-- | src/db/sysdb.h | 9 | ||||
| -rw-r--r-- | src/db/sysdb_search.c | 4 | ||||
| -rw-r--r-- | src/db/sysdb_subdomains.c | 40 |
3 files changed, 52 insertions, 1 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index c60f7e951..5541d3da5 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -452,6 +452,15 @@ errno_t sysdb_store_domgroup(struct sss_domain_info *domain, errno_t sysdb_delete_domgroup(struct sss_domain_info *domain, const char *name, gid_t gid); +int sysdb_subdom_getpwnam(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *name, + struct ldb_result **res); +int sysdb_subdom_getgrnam(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *name, + struct ldb_result **res); + errno_t sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, size_t *range_count, struct range_info ***range_list); diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index 1ab947700..49f628bfd 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -365,7 +365,9 @@ int sysdb_initgroups(TALLOC_CTX *mem_ctx, return ENOMEM; } - ret = sysdb_getpwnam(tmp_ctx, sysdb, name, &res); + /* if this is a subdomain we need to search for the fully qualified + * name in the database */ + ret = sysdb_subdom_getpwnam(tmp_ctx, sysdb, name, &res); if (ret != EOK) { DEBUG(1, ("sysdb_getpwnam failed: [%d][%s]\n", ret, strerror(ret))); diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 2e0170f4d..231d481ca 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -668,3 +668,43 @@ errno_t sysdb_delete_domgroup(struct sss_domain_info *domain, return sysdb_delete_group(domain->sysdb, name, gid); } + +int sysdb_subdom_getpwnam(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *name, + struct ldb_result **res) +{ + char *src_name = NULL; + int ret; + + if (sysdb->domain->parent) { + src_name = talloc_asprintf(mem_ctx, sysdb->domain->names->fq_fmt, + name, sysdb->domain->name); + if (!src_name) return ENOMEM; + } + + ret = sysdb_getpwnam(mem_ctx, sysdb, src_name ? src_name : name, res); + talloc_zfree(src_name); + + return ret; +} + +int sysdb_subdom_getgrnam(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *name, + struct ldb_result **res) +{ + char *src_name = NULL; + int ret; + + if (sysdb->domain->parent) { + src_name = talloc_asprintf(mem_ctx, sysdb->domain->names->fq_fmt, + name, sysdb->domain->name); + if (!src_name) return ENOMEM; + } + + ret = sysdb_getgrnam(mem_ctx, sysdb, src_name ? src_name : name, res); + talloc_zfree(src_name); + + return ret; +} |