summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-11-17 23:55:13 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-11-21 11:18:10 +0100
commitf9111f464376338317e30da637353e2c25869ce8 (patch)
tree603e9228acbc691955a19e104865f1e21659c0ff /src/providers
parentfcea2fb0044b50b54bb02238782b6631dbc9bb90 (diff)
downloadsssd-f9111f464376338317e30da637353e2c25869ce8.tar.gz
sssd-f9111f464376338317e30da637353e2c25869ce8.tar.xz
sssd-f9111f464376338317e30da637353e2c25869ce8.zip
LDAP: Only convert direct parents' ghost attribute to member
https://fedorahosted.org/sssd/ticket/1612 This patch changes the handling of ghost attributes when saving the actual user entry. Instead of always linking all groups that contained the ghost attribute with the new user entry, the original member attributes are now saved in the group object and the user entry is only linked with its direct parents. As the member attribute is compared against the originalDN of the user, if either the originalDN or the originalMember attributes are missing, the user object is linked with all the groups as a fallback. The original member attributes are only saved if the LDAP schema supports nesting.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ipa/ipa_hbac_private.h1
-rw-r--r--src/providers/ldap/sdap_async_groups.c24
-rw-r--r--src/providers/ldap/sdap_async_users.c22
-rw-r--r--src/providers/proxy/proxy_id.c1
4 files changed, 39 insertions, 9 deletions
diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
index bb1ea4ec1..f313ca132 100644
--- a/src/providers/ipa/ipa_hbac_private.h
+++ b/src/providers/ipa/ipa_hbac_private.h
@@ -34,7 +34,6 @@
#define IPA_UNIQUE_ID "ipauniqueid"
#define IPA_MEMBER "member"
-#define SYSDB_ORIG_MEMBER "orig_member"
#define HBAC_HOSTS_SUBDIR "hbac_hosts"
#define HBAC_HOSTGROUPS_SUBDIR "hbac_hostgroups"
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index aea22abe4..d7d262d56 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -205,6 +205,7 @@ sdap_process_ghost_members(struct sysdb_attrs *attrs,
struct sdap_options *opts,
hash_table_t *ghosts,
bool populate_members,
+ bool store_original_member,
struct sysdb_attrs *sysdb_attrs)
{
errno_t ret;
@@ -235,6 +236,19 @@ sdap_process_ghost_members(struct sysdb_attrs *attrs,
return ret;
}
+ if (store_original_member) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("The group has %d members\n", memberel->num_values));
+ for (i = 0; i < memberel->num_values; i++) {
+ ret = sysdb_attrs_add_string(sysdb_attrs, SYSDB_ORIG_MEMBER,
+ (const char *) memberel->values[i].data);
+ if (ret) {
+ DEBUG(SSSDBG_OP_FAILURE, ("Could not add member [%s]\n",
+ (const char *) memberel->values[i].data));
+ return ret;
+ }
+ }
+ }
+
if (populate_members) {
ret = sysdb_attrs_get_el(sysdb_attrs, SYSDB_MEMBER, &sysdb_memberel);
if (ret != EOK) {
@@ -301,6 +315,7 @@ static int sdap_save_group(TALLOC_CTX *memctx,
struct sss_domain_info *dom,
struct sysdb_attrs *attrs,
bool populate_members,
+ bool store_original_member,
hash_table_t *ghosts,
char **_usn_value,
time_t now)
@@ -475,7 +490,8 @@ static int sdap_save_group(TALLOC_CTX *memctx,
}
ret = sdap_process_ghost_members(attrs, opts, ghosts,
- populate_members, group_attrs);
+ populate_members, store_original_member,
+ group_attrs);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to save ghost members\n"));
goto fail;
@@ -598,6 +614,7 @@ static int sdap_save_groups(TALLOC_CTX *memctx,
char *higher_usn = NULL;
char *usn_value;
bool twopass;
+ bool has_nesting = false;
int ret;
errno_t sret;
int i;
@@ -615,6 +632,7 @@ static int sdap_save_groups(TALLOC_CTX *memctx,
case SDAP_SCHEMA_IPA_V1:
case SDAP_SCHEMA_AD:
twopass = true;
+ has_nesting = true;
break;
default:
@@ -649,8 +667,8 @@ static int sdap_save_groups(TALLOC_CTX *memctx,
/* if 2 pass savemembers = false */
ret = sdap_save_group(tmpctx, sysdb,
opts, dom, groups[i],
- populate_members, ghosts,
- &usn_value, now);
+ populate_members, has_nesting,
+ ghosts, &usn_value, now);
/* Do not fail completely on errors.
* Just report the failure to save and go on */
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 8974e6a24..216436111 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -46,6 +46,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
const char *gecos;
const char *homedir;
const char *shell;
+ const char *orig_dn;
uid_t uid;
gid_t gid, primary_gid;
struct sysdb_attrs *user_attrs;
@@ -227,12 +228,23 @@ int sdap_save_user(TALLOC_CTX *memctx,
goto fail;
}
- ret = sdap_attrs_add_string(attrs, SYSDB_ORIG_DN,
- "original DN",
- name, user_attrs);
- if (ret != EOK) {
+ ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el);
+ if (ret) {
goto fail;
}
+ if (!el || el->num_values == 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("originalDN is not available for [%s].\n", name));
+ } else {
+ orig_dn = (const char *) el->values[0].data;
+ DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding originalDN [%s] to attributes "
+ "of [%s].\n", orig_dn, name));
+
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, orig_dn);
+ if (ret) {
+ goto fail;
+ }
+ }
ret = sysdb_attrs_get_el(attrs, SYSDB_MEMBEROF, &el);
if (ret) {
@@ -344,7 +356,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
DEBUG(6, ("Storing info for user %s\n", name));
ret = sysdb_store_user(ctx, name, pwd, uid, gid, gecos, homedir, shell,
- user_attrs, missing, cache_timeout, now);
+ orig_dn, user_attrs, missing, cache_timeout, now);
if (ret) goto fail;
if (_usn_value) {
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index 451bdff5b..ce66fa128 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -260,6 +260,7 @@ static int save_user(struct sysdb_ctx *sysdb, bool lowercase,
pwd->pw_gecos,
pwd->pw_dir,
shell,
+ NULL,
attrs,
NULL,
cache_timeout,