diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-12-18 13:47:31 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 17:36:09 +0100 |
| commit | 4cd1cb275a09a188dce1eeccecc868a854a13b77 (patch) | |
| tree | f994ea5f9ea10236037b8fdfb9d83fdc66083f9a /src/providers/ldap/sdap_async_initgroups.c | |
| parent | b61518461e08ba0e33ffd6c0c47da709a5757658 (diff) | |
| download | sssd-4cd1cb275a09a188dce1eeccecc868a854a13b77.tar.gz sssd-4cd1cb275a09a188dce1eeccecc868a854a13b77.tar.xz sssd-4cd1cb275a09a188dce1eeccecc868a854a13b77.zip | |
AD: cross-domain membership fix
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
Diffstat (limited to 'src/providers/ldap/sdap_async_initgroups.c')
| -rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 50 |
1 files changed, 47 insertions, 3 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 1b865af0a..aba7ba42d 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2749,6 +2749,10 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) const char *orig_dn; const char *cname; bool in_transaction = false; + char *expected_basedn; + size_t expected_basedn_len; + size_t dn_len; + size_t c = 0; DEBUG(9, ("Receiving info for the user\n")); @@ -2788,11 +2792,50 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) } else if (count != 1) { DEBUG(SSSDBG_OP_FAILURE, ("Expected one user entry and got %zu\n", count)); - tevent_req_error(req, EINVAL); - return; + + ret = domain_to_basedn(state, state->dom->name, &expected_basedn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("domain_to_basedn failed.\n")); + tevent_req_error(req, ret); + return; + } + expected_basedn = talloc_asprintf(state, "%s%s", + "cn=users,", expected_basedn); + if (expected_basedn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_append failed.\n")); + tevent_req_error(req, ENOMEM); + return; + } + + DEBUG(SSSDBG_TRACE_ALL, ("Expected BaseDN is [%s].\n", expected_basedn)); + expected_basedn_len = strlen(expected_basedn); + + for (c = 0; c < count; c++) { + ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); + tevent_req_error(req, ret); + return; + } + dn_len = strlen(orig_dn); + + if (dn_len > expected_basedn_len + && strcasecmp(orig_dn + (dn_len - expected_basedn_len), + expected_basedn) == 0) { + DEBUG(SSSDBG_TRACE_ALL, + ("Found matching dn [%s].\n", orig_dn)); + break; + } + } + + if (c == count) { + DEBUG(SSSDBG_OP_FAILURE, ("No matching DN found.\n")); + tevent_req_error(req, EINVAL); + return; + } } - state->orig_user = usr_attrs[0]; + state->orig_user = usr_attrs[c]; ret = sysdb_transaction_start(state->sysdb); if (ret) { @@ -2858,6 +2901,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) */ subreq = sdap_ad_tokengroups_initgroups_send(state, state->ev, state->id_ctx, + state->conn, state->opts, state->sysdb, state->dom, |