diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-06-17 17:16:14 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-07-21 11:48:53 +0200 |
commit | deb0cc874606db31f454531c03d381fe0de76bd6 (patch) | |
tree | 1e8b27458d1936edb10905914c9eda2ff4ab7a41 /src/providers/ldap/sdap_async_initgroups_ad.c | |
parent | 80af7e9daed52b283af037864bcdd86d96695618 (diff) | |
download | sssd-deb0cc874606db31f454531c03d381fe0de76bd6.tar.gz sssd-deb0cc874606db31f454531c03d381fe0de76bd6.tar.xz sssd-deb0cc874606db31f454531c03d381fe0de76bd6.zip |
LDAP: tokengroups do not work with id_provider=ldap
With plain LDAP provider we already have a sdap_handle, so it should be possible
that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be
skipped and sdap_get_ad_tokengroups_send() can be already send with the
sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should
only fail if sdom->pvt == NULL and sh == NULL.
if find_subdomain_by_sid() failed we can check if there is only one domain in
the domain list (state->domain) and in this case continue with this domain since
the LDAP provider does not know about sub-domains and hence can only have one
configured domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2345
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
Diffstat (limited to 'src/providers/ldap/sdap_async_initgroups_ad.c')
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups_ad.c | 82 |
1 files changed, 71 insertions, 11 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 31712be24..7e79cea81 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -608,7 +608,9 @@ static errno_t sdap_ad_resolve_sids_step(struct tevent_req *req) } state->index++; - domain = find_subdomain_by_sid(state->domain, state->current_sid); + domain = sss_get_domain_by_sid_ldap_fallback(state->domain, + state->current_sid); + if (domain == NULL) { DEBUG(SSSDBG_MINOR_FAILURE, "SID %s does not belong to any known " "domain\n", state->current_sid); @@ -693,6 +695,15 @@ struct sdap_ad_tokengroups_initgr_mapping_state { static void sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq); static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq); +static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *orig_dn, + int timeout, + const char *username, + struct sdap_handle *sh, + struct tevent_req *req, + tevent_req_fn callback); static struct tevent_req * sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx, @@ -735,11 +746,18 @@ sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx, sdom = sdap_domain_get(opts, domain); if (sdom == NULL || sdom->pvt == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", - domain->name); - ret = EINVAL; - goto immediately; + ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout, + state->username, sh, req, + sdap_ad_tokengroups_initgr_mapping_done); + if (ret == EOK) { + return req; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", + domain->name); + goto immediately; + } } + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); if (!state->op) { @@ -874,7 +892,7 @@ static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq) continue; } - domain = find_subdomain_by_sid(get_domains_head(state->domain), sid); + domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid); if (domain == NULL) { DEBUG(SSSDBG_MINOR_FAILURE, "Domain not found for SID %s\n", sid); continue; @@ -1031,10 +1049,16 @@ sdap_ad_tokengroups_initgr_posix_send(TALLOC_CTX *mem_ctx, sdom = sdap_domain_get(opts, domain); if (sdom == NULL || sdom->pvt == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", - domain->name); - ret = EINVAL; - goto immediately; + ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout, + state->username, sh, req, + sdap_ad_tokengroups_initgr_posix_tg_done); + if (ret == EOK) { + return req; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", + domain->name); + goto immediately; + } } subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); @@ -1164,7 +1188,7 @@ sdap_ad_tokengroups_initgr_posix_tg_done(struct tevent_req *subreq) sid = sids[i]; DEBUG(SSSDBG_TRACE_LIBS, "Processing membership SID [%s]\n", sid); - domain = find_subdomain_by_sid(get_domains_head(state->domain), sid); + domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid); if (domain == NULL) { DEBUG(SSSDBG_MINOR_FAILURE, "Domain not found for SID %s\n", sid); continue; @@ -1382,3 +1406,39 @@ errno_t sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req) return EOK; } + +static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *orig_dn, + int timeout, + const char *username, + struct sdap_handle *sh, + struct tevent_req *req, + tevent_req_fn callback) +{ + struct tevent_req *subreq = NULL; + errno_t ret; + + if (sh != NULL) { + /* plain LDAP provider already has a sdap_handle */ + subreq = sdap_get_ad_tokengroups_send(mem_ctx, ev, opts, sh, username, + orig_dn, timeout); + if (subreq == NULL) { + ret = ENOMEM; + tevent_req_error(req, ret); + goto done; + } + + tevent_req_set_callback(subreq, callback, req); + ret = EOK; + goto done; + + } else { + ret = EINVAL; + goto done; + } + +done: + return ret; +} |