diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-11-20 18:27:04 +0000 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-13 22:11:13 +0100 |
commit | 6fac5e5f0c54a0f92872ce1450606cfcb577a920 (patch) | |
tree | 698969beabfac61e841fb61ca4fe02826b83f2a6 /src/providers/ldap | |
parent | d72958f09ce3718019992b7a117f112e38855b55 (diff) | |
download | sssd-6fac5e5f0c54a0f92872ce1450606cfcb577a920.tar.gz sssd-6fac5e5f0c54a0f92872ce1450606cfcb577a920.tar.xz sssd-6fac5e5f0c54a0f92872ce1450606cfcb577a920.zip |
LDAP: retain external members
When processing group membership check sysdb for group members from
extern domain and include them in newly processed group membership as
extern members are curently found only when initgroups() is called.
Resolves:
https://fedorahosted.org/sssd/ticket/2492
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/sdap_async_groups.c | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 8cf7f7ff1..c86b5c6b5 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -801,6 +801,87 @@ done: return ret; } +static errno_t +are_sids_from_same_dom(const char *sid1, const char *sid2, bool *_result) +{ + size_t len_prefix_sid1; + size_t len_prefix_sid2; + char *rid1, *rid2; + bool result; + + rid1 = strrchr(sid1, '-'); + if (rid1 == NULL) { + return EINVAL; + } + + rid2 = strrchr(sid2, '-'); + if (rid2 == NULL) { + return EINVAL; + } + + len_prefix_sid1 = rid1 - sid1; + len_prefix_sid2 = rid2 - sid2; + + result = (len_prefix_sid1 == len_prefix_sid2) && + (strncmp(sid1, sid2, len_prefix_sid1) == 0); + + *_result = result; + + return EOK; +} + +static errno_t +retain_extern_members(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *group_name, + const char *group_sid, + char ***_userdns, + size_t *_nuserdns) +{ + TALLOC_CTX *tmp_ctx; + const char **sids, **dns; + bool same_domain; + errno_t ret; + size_t i, n; + size_t nuserdns = 0; + const char **userdns = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_get_sids_of_members(tmp_ctx, dom, group_name, &sids, &dns, &n); + if (ret != EOK) { + if (ret != ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, + "get_sids_of_members failed: %d [%s]\n", + ret, sss_strerror(ret)); + } + goto done; + } + + for (i=0; i < n; i++) { + ret = are_sids_from_same_dom(group_sid, sids[i], &same_domain); + if (ret == EOK && !same_domain) { + DEBUG(SSSDBG_TRACE_ALL, "extern member: %s\n", dns[i]); + nuserdns++; + userdns = talloc_realloc(tmp_ctx, userdns, const char*, nuserdns); + if (userdns == NULL) { + ret = ENOMEM; + goto done; + } + userdns[nuserdns-1] = talloc_steal(userdns, dns[i]); + } + } + *_nuserdns = nuserdns; + *_userdns = discard_const(talloc_steal(mem_ctx, userdns)); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} /* ==Save-Group-Memebrs=================================================== */ @@ -817,6 +898,7 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, { struct ldb_message_element *el; struct sysdb_attrs *group_attrs = NULL; + const char *group_sid; const char *group_name; char **userdns = NULL; size_t nuserdns = 0; @@ -843,6 +925,28 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, } } + /* This is a temporal solution until the IPA provider is able to + * resolve external group membership. + * https://fedorahosted.org/sssd/ticket/2522 + */ + if (opts->schema_type == SDAP_SCHEMA_IPA_V1) { + ret = sysdb_attrs_get_string(attrs, SYSDB_SID_STR, &group_sid); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Failed to get group sid\n"); + group_sid = NULL; + } + + if (group_sid != NULL) { + ret = retain_extern_members(memctx, dom, group_name, group_sid, + &userdns, &nuserdns); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "retain_extern_members failed: %d:[%s].\n", + ret, sss_strerror(ret)); + } + } + } + ret = sysdb_attrs_get_el(attrs, opts->group_map[SDAP_AT_GROUP_MEMBER].sys_name, &el); if (ret != EOK) { |