summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPavel Reichl <preichl@redhat.com>2014-06-17 17:16:14 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-07-24 11:35:53 +0200
commite8ec9026659f95d830e34a5c11e4452d871d4b7f (patch)
tree7944892b7929b046e86cd572d89e6bc6c648cf96 /src
parent72a54401eb95050df22baadd8ffa064a6f2392ab (diff)
downloadsssd-e8ec9026659f95d830e34a5c11e4452d871d4b7f.tar.gz
sssd-e8ec9026659f95d830e34a5c11e4452d871d4b7f.tar.xz
sssd-e8ec9026659f95d830e34a5c11e4452d871d4b7f.zip
LDAP: tokengroups do not work with id_provider=ldap
With plain LDAP provider we already have a sdap_handle, so it should be possible that in the case where sdom->pvt == NULL sdap_id_op_connect_send() can be skipped and sdap_get_ad_tokengroups_send() can be already send with the sdap_handle passed to sdap_ad_tokengroups_initgr_mapping_send(). So we should only fail if sdom->pvt == NULL and sh == NULL. if find_subdomain_by_sid() failed we can check if there is only one domain in the domain list (state->domain) and in this case continue with this domain since the LDAP provider does not know about sub-domains and hence can only have one configured domain. Resolves: https://fedorahosted.org/sssd/ticket/2345 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit b12e2500237f33c44807d7e5b377ec06007c7252)
Diffstat (limited to 'src')
-rw-r--r--src/providers/ldap/sdap_async_groups.c5
-rw-r--r--src/providers/ldap/sdap_async_initgroups_ad.c82
-rw-r--r--src/util/domain_info_utils.c14
-rw-r--r--src/util/util.h5
4 files changed, 93 insertions, 13 deletions
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 2f568c472..6f3c8b8eb 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -515,7 +515,8 @@ static int sdap_save_group(TALLOC_CTX *memctx,
/* If this object has a SID available, we will determine the correct
* domain by its SID. */
if (sid_str != NULL) {
- subdomain = find_subdomain_by_sid(get_domains_head(dom), sid_str);
+ subdomain = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom),
+ sid_str);
if (subdomain) {
dom = subdomain;
} else {
@@ -539,7 +540,7 @@ static int sdap_save_group(TALLOC_CTX *memctx,
goto done;
}
- DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.",
+ DEBUG(SSSDBG_TRACE_ALL, "AD group [%s] has type flags %#x.\n",
group_name, ad_group_type);
/* Only security groups from AD are considered for POSIX groups.
* Additionally only global and universal group are taken to account
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 31712be24..7e79cea81 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -608,7 +608,9 @@ static errno_t sdap_ad_resolve_sids_step(struct tevent_req *req)
}
state->index++;
- domain = find_subdomain_by_sid(state->domain, state->current_sid);
+ domain = sss_get_domain_by_sid_ldap_fallback(state->domain,
+ state->current_sid);
+
if (domain == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "SID %s does not belong to any known "
"domain\n", state->current_sid);
@@ -693,6 +695,15 @@ struct sdap_ad_tokengroups_initgr_mapping_state {
static void
sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq);
static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq);
+static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sdap_options *opts,
+ const char *orig_dn,
+ int timeout,
+ const char *username,
+ struct sdap_handle *sh,
+ struct tevent_req *req,
+ tevent_req_fn callback);
static struct tevent_req *
sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx,
@@ -735,11 +746,18 @@ sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx,
sdom = sdap_domain_get(opts, domain);
if (sdom == NULL || sdom->pvt == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n",
- domain->name);
- ret = EINVAL;
- goto immediately;
+ ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout,
+ state->username, sh, req,
+ sdap_ad_tokengroups_initgr_mapping_done);
+ if (ret == EOK) {
+ return req;
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n",
+ domain->name);
+ goto immediately;
+ }
}
+
subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache);
if (!state->op) {
@@ -874,7 +892,7 @@ static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq)
continue;
}
- domain = find_subdomain_by_sid(get_domains_head(state->domain), sid);
+ domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid);
if (domain == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Domain not found for SID %s\n", sid);
continue;
@@ -1031,10 +1049,16 @@ sdap_ad_tokengroups_initgr_posix_send(TALLOC_CTX *mem_ctx,
sdom = sdap_domain_get(opts, domain);
if (sdom == NULL || sdom->pvt == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n",
- domain->name);
- ret = EINVAL;
- goto immediately;
+ ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout,
+ state->username, sh, req,
+ sdap_ad_tokengroups_initgr_posix_tg_done);
+ if (ret == EOK) {
+ return req;
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n",
+ domain->name);
+ goto immediately;
+ }
}
subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx);
state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache);
@@ -1164,7 +1188,7 @@ sdap_ad_tokengroups_initgr_posix_tg_done(struct tevent_req *subreq)
sid = sids[i];
DEBUG(SSSDBG_TRACE_LIBS, "Processing membership SID [%s]\n", sid);
- domain = find_subdomain_by_sid(get_domains_head(state->domain), sid);
+ domain = sss_get_domain_by_sid_ldap_fallback(state->domain, sid);
if (domain == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE, "Domain not found for SID %s\n", sid);
continue;
@@ -1382,3 +1406,39 @@ errno_t sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req)
return EOK;
}
+
+static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct sdap_options *opts,
+ const char *orig_dn,
+ int timeout,
+ const char *username,
+ struct sdap_handle *sh,
+ struct tevent_req *req,
+ tevent_req_fn callback)
+{
+ struct tevent_req *subreq = NULL;
+ errno_t ret;
+
+ if (sh != NULL) {
+ /* plain LDAP provider already has a sdap_handle */
+ subreq = sdap_get_ad_tokengroups_send(mem_ctx, ev, opts, sh, username,
+ orig_dn, timeout);
+ if (subreq == NULL) {
+ ret = ENOMEM;
+ tevent_req_error(req, ret);
+ goto done;
+ }
+
+ tevent_req_set_callback(subreq, callback, req);
+ ret = EOK;
+ goto done;
+
+ } else {
+ ret = EINVAL;
+ goto done;
+ }
+
+done:
+ return ret;
+}
diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 033297a92..ff36d2e17 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -149,6 +149,20 @@ struct sss_domain_info *find_subdomain_by_sid(struct sss_domain_info *domain,
return NULL;
}
+struct sss_domain_info*
+sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,
+ const char* sid)
+{
+ /* LDAP provider doesn't know about sub-domains and hence can only
+ * have one configured domain
+ */
+ if (strcmp(domain->provider, "ldap") == 0) {
+ return domain;
+ } else {
+ return find_subdomain_by_sid(get_domains_head(domain), sid);
+ }
+}
+
struct sss_domain_info *
find_subdomain_by_object_name(struct sss_domain_info *domain,
const char *object_name)
diff --git a/src/util/util.h b/src/util/util.h
index 35eea1153..df754608e 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -491,6 +491,11 @@ struct sss_domain_info *find_subdomain_by_name(struct sss_domain_info *domain,
bool match_any);
struct sss_domain_info *find_subdomain_by_sid(struct sss_domain_info *domain,
const char *sid);
+
+struct sss_domain_info*
+sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain,
+ const char* sid);
+
struct sss_domain_info *
find_subdomain_by_object_name(struct sss_domain_info *domain,
const char *object_name);