diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-12-18 13:47:31 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-19 17:36:09 +0100 |
| commit | 4cd1cb275a09a188dce1eeccecc868a854a13b77 (patch) | |
| tree | f994ea5f9ea10236037b8fdfb9d83fdc66083f9a /src/providers/ldap/sdap_async_initgroups_ad.c | |
| parent | b61518461e08ba0e33ffd6c0c47da709a5757658 (diff) | |
| download | sssd-4cd1cb275a09a188dce1eeccecc868a854a13b77.tar.gz sssd-4cd1cb275a09a188dce1eeccecc868a854a13b77.tar.xz sssd-4cd1cb275a09a188dce1eeccecc868a854a13b77.zip | |
AD: cross-domain membership fix
A recent patch directed all call related to group membership lookups to
the AD LDAP port to fix an issue related to missing group memberships in
the Global Catalog. As a side-effect it broke cross-domain
group-memberships because those cannot be resolved by the connection to
the LDAP port.
The patch tires to fix this by restoring the original behaviour in the
top-level lookup calls in the AD provider and switching to the LDAP port
only for the LDAP request which is expected to return the full group
membership.
Additionally this patch contains a related fix for the tokenGroups with
Posix attributes patch. The original connection, typically a Global
Catalog connection in the AD case is passed down the stack so that the
group lookup after the tokenGroups request can run over the same
connection.
Diffstat (limited to 'src/providers/ldap/sdap_async_initgroups_ad.c')
| -rw-r--r-- | src/providers/ldap/sdap_async_initgroups_ad.c | 157 |
1 files changed, 148 insertions, 9 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index f1bf77e86..8f8f0a4cc 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -25,6 +25,7 @@ #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async_private.h" #include "providers/ldap/sdap_idmap.h" +#include "providers/ad/ad_common.h" #include "lib/idmap/sss_idmap.h" struct sdap_ad_match_rule_initgr_state { @@ -528,6 +529,7 @@ done: struct sdap_ad_resolve_sids_state { struct tevent_context *ev; struct sdap_id_ctx *id_ctx; + struct sdap_id_conn_ctx *conn; struct sdap_options *opts; struct sss_domain_info *domain; char **sids; @@ -543,6 +545,7 @@ static struct tevent_req * sdap_ad_resolve_sids_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, struct sdap_options *opts, struct sss_domain_info *domain, char **sids) @@ -560,6 +563,7 @@ sdap_ad_resolve_sids_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->id_ctx = id_ctx; + state->conn = conn; state->opts = opts; state->domain = get_domains_head(domain); state->sids = sids; @@ -618,7 +622,7 @@ static errno_t sdap_ad_resolve_sids_step(struct tevent_req *req) } subreq = groups_get_send(state, state->ev, state->id_ctx, sdap_domain, - state->id_ctx->conn, state->current_sid, + state->conn, state->current_sid, BE_FILTER_SECID, BE_ATTR_CORE, false); if (subreq == NULL) { return ENOMEM; @@ -673,12 +677,21 @@ static errno_t sdap_ad_resolve_sids_recv(struct tevent_req *req) struct sdap_ad_tokengroups_initgr_mapping_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; struct sdap_idmap_ctx *idmap_ctx; struct sysdb_ctx *sysdb; struct sss_domain_info *domain; + const char *orig_dn; + int timeout; const char *username; + + struct sdap_id_op *op; }; +static void +sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq); static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq); static struct tevent_req * @@ -695,6 +708,8 @@ sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx, struct sdap_ad_tokengroups_initgr_mapping_state *state = NULL; struct tevent_req *req = NULL; struct tevent_req *subreq = NULL; + struct sdap_domain *sdom; + struct ad_id_ctx *subdom_id_ctx; errno_t ret; req = tevent_req_create(mem_ctx, &state, @@ -704,23 +719,43 @@ sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx, return NULL; } + state->ev = ev; + state->opts = opts; + state->sh = sh; state->idmap_ctx = opts->idmap_ctx; state->sysdb = sysdb; state->domain = domain; + state->timeout = timeout; + state->orig_dn = orig_dn; state->username = talloc_strdup(state, name); if (state->username == NULL) { ret = ENOMEM; goto immediately; } - subreq = sdap_get_ad_tokengroups_send(state, ev, opts, sh, name, orig_dn, - timeout); + sdom = sdap_domain_get(opts, domain); + if (sdom == NULL || sdom->pvt == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", + domain->name)); + ret = EINVAL; + goto immediately; + } + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); + state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); + if (!state->op) { + DEBUG(2, ("sdap_id_op_create failed\n")); + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); if (subreq == NULL) { ret = ENOMEM; goto immediately; } - tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgr_mapping_done, + tevent_req_set_callback(subreq, + sdap_ad_tokengroups_initgr_mapping_connect_done, req); return req; @@ -736,6 +771,42 @@ immediately: return req; } +static void +sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgr_mapping_state *state = NULL; + struct tevent_req *req = NULL; + int ret; + int dp_error = DP_ERR_FATAL; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, + struct sdap_ad_tokengroups_initgr_mapping_state); + + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + subreq = sdap_get_ad_tokengroups_send(state, state->ev, state->opts, + sdap_id_op_handle(state->op), + state->username, + state->orig_dn, state->timeout); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgr_mapping_done, + req); + + return; +} + static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq) { TALLOC_CTX *tmp_ctx = NULL; @@ -896,22 +967,31 @@ static int sdap_ad_tokengroups_initgr_mapping_recv(struct tevent_req *req) struct sdap_ad_tokengroups_initgr_posix_state { struct tevent_context *ev; struct sdap_id_ctx *id_ctx; + struct sdap_id_conn_ctx *conn; struct sdap_options *opts; + struct sdap_handle *sh; struct sysdb_ctx *sysdb; struct sss_domain_info *domain; + const char *orig_dn; + int timeout; const char *username; + + struct sdap_id_op *op; }; static void sdap_ad_tokengroups_initgr_posix_tg_done(struct tevent_req *subreq); static void +sdap_ad_tokengroups_initgr_posix_sids_connect_done(struct tevent_req *subreq); +static void sdap_ad_tokengroups_initgr_posix_sids_done(struct tevent_req *subreq); static struct tevent_req * sdap_ad_tokengroups_initgr_posix_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, struct sdap_options *opts, struct sysdb_ctx *sysdb, struct sss_domain_info *domain, @@ -923,6 +1003,8 @@ sdap_ad_tokengroups_initgr_posix_send(TALLOC_CTX *mem_ctx, struct sdap_ad_tokengroups_initgr_posix_state *state = NULL; struct tevent_req *req = NULL; struct tevent_req *subreq = NULL; + struct sdap_domain *sdom; + struct ad_id_ctx *subdom_id_ctx; errno_t ret; req = tevent_req_create(mem_ctx, &state, @@ -934,23 +1016,42 @@ sdap_ad_tokengroups_initgr_posix_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->id_ctx = id_ctx; + state->conn = conn; state->opts = opts; + state->sh = sh; state->sysdb = sysdb; state->domain = domain; + state->orig_dn = orig_dn; + state->timeout = timeout; state->username = talloc_strdup(state, name); if (state->username == NULL) { ret = ENOMEM; goto immediately; } - subreq = sdap_get_ad_tokengroups_send(state, ev, opts, sh, name, orig_dn, - timeout); + sdom = sdap_domain_get(opts, domain); + if (sdom == NULL || sdom->pvt == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("No ID ctx available for [%s].\n", + domain->name)); + ret = EINVAL; + goto immediately; + } + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); + state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); + if (!state->op) { + DEBUG(2, ("sdap_id_op_create failed\n")); + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); if (subreq == NULL) { ret = ENOMEM; goto immediately; } - tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgr_posix_tg_done, + tevent_req_set_callback(subreq, + sdap_ad_tokengroups_initgr_posix_sids_connect_done, req); return req; @@ -967,6 +1068,42 @@ immediately: } static void +sdap_ad_tokengroups_initgr_posix_sids_connect_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgr_posix_state *state = NULL; + struct tevent_req *req = NULL; + int ret; + int dp_error = DP_ERR_FATAL; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, + struct sdap_ad_tokengroups_initgr_posix_state); + + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + subreq = sdap_get_ad_tokengroups_send(state, state->ev, state->opts, + sdap_id_op_handle(state->op), + state->username, state->orig_dn, + state->timeout); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgr_posix_tg_done, + req); + + return; +} + +static void sdap_ad_tokengroups_initgr_posix_tg_done(struct tevent_req *subreq) { TALLOC_CTX *tmp_ctx = NULL; @@ -1089,6 +1226,7 @@ sdap_ad_tokengroups_initgr_posix_tg_done(struct tevent_req *subreq) /* download missing SIDs */ missing_sids = talloc_steal(state, missing_sids); subreq = sdap_ad_resolve_sids_send(state, state->ev, state->id_ctx, + state->conn, state->opts, state->domain, missing_sids); if (subreq == NULL) { @@ -1154,6 +1292,7 @@ struct tevent_req * sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, struct sdap_options *opts, struct sysdb_ctx *sysdb, struct sss_domain_info *domain, @@ -1184,8 +1323,8 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, name, orig_dn, timeout); } else { - subreq = sdap_ad_tokengroups_initgr_posix_send(state, ev, id_ctx, opts, - sysdb, domain, sh, + subreq = sdap_ad_tokengroups_initgr_posix_send(state, ev, id_ctx, conn, + opts, sysdb, domain, sh, name, orig_dn, timeout); } |