summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2013-10-29 15:03:02 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-10-29 16:07:04 +0100
commit09a4742bd18181c8838f0d4d84db90f25dbd21fa (patch)
treeb0bea95d534d48d2a85fbcf57c9d29efa0c54ae2 /src/providers
parentd71b1a2c2504ea09bdfa45d2fe30e9ebb425ed84 (diff)
downloadsssd-09a4742bd18181c8838f0d4d84db90f25dbd21fa.tar.gz
sssd-09a4742bd18181c8838f0d4d84db90f25dbd21fa.tar.xz
sssd-09a4742bd18181c8838f0d4d84db90f25dbd21fa.zip
sdap_save_user: try to determine domain by SID
GC contains objects from both parent domain and subdomain. Lets say we have user with UID 5000 that belongs to a subdomain and overlapping search bases dc=ad,dc=pb and dc=sub,dc=ad,dc=pb. Now we call 'getent passwd 5000' and this request goes through data provider, searching in parent domain first. Even though this user does not belong to this domain it is found and stored as ad.pb user. With this patch we look at user's SID and put it into correct domain.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/ldap/sdap_async_users.c54
1 files changed, 32 insertions, 22 deletions
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 2807b0728..9cfe21748 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -139,6 +139,38 @@ int sdap_save_user(TALLOC_CTX *memctx,
goto done;
}
+ /* Always store SID string if available */
+ ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs,
+ opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
+ &sid_str);
+ if (ret == EOK) {
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Could not add SID string: [%s]\n",
+ strerror(ret)));
+ goto done;
+ }
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_ALL, ("objectSID: not available for group [%s].\n",
+ user_name));
+ sid_str = NULL;
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Could not identify objectSID: [%s]\n",
+ strerror(ret)));
+ sid_str = NULL;
+ }
+
+ /* If this object has a SID available, we will determine the correct
+ * domain by its SID. */
+ if (sid_str != NULL) {
+ dom = find_subdomain_by_sid(get_domains_head(dom), sid_str);
+ if (dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("SID %s does not belong to any known "
+ "domain\n", sid_str));
+ return ERR_DOMAIN_NOT_FOUND;
+ }
+ }
+
ret = sdap_get_user_primary_name(memctx, opts, attrs, dom, &user_name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to get user name\n"));
@@ -192,28 +224,6 @@ int sdap_save_user(TALLOC_CTX *memctx,
if (el->num_values == 0) shell = NULL;
else shell = (const char *)el->values[0].data;
- /* Always store SID string if available */
- ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs,
- opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
- &sid_str);
- if (ret == EOK) {
- ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("Could not add SID string: [%s]\n",
- strerror(ret)));
- goto done;
- }
- } else if (ret == ENOENT) {
- DEBUG(SSSDBG_TRACE_ALL, ("objectSID: not available for group [%s].\n",
- user_name));
- sid_str = NULL;
- } else {
- DEBUG(SSSDBG_MINOR_FAILURE, ("Could not identify objectSID: [%s]\n",
- strerror(ret)));
- sid_str = NULL;
- }
-
-
use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx,
dom->name,
sid_str);