diff options
| author | Sumit Bose <sbose@redhat.com> | 2013-10-09 15:31:33 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-17 13:49:49 +0200 |
| commit | 348faaa11b8301e53fb946397e376ca2562af022 (patch) | |
| tree | d129300c1135ae41692968a48e87f7f0d45e11b5 /src | |
| parent | ce8fb3255794ea046635f3527cd58fc47ab7218b (diff) | |
| download | sssd-348faaa11b8301e53fb946397e376ca2562af022.tar.gz sssd-348faaa11b8301e53fb946397e376ca2562af022.tar.xz sssd-348faaa11b8301e53fb946397e376ca2562af022.zip | |
sdap_idmap: properly handle ranges for external mappings
Currently we relied on the fact that external ID mapping is used as
default fallback in case of an error and did not properly add subdomains
with external ID mapping to the idmap library. If debugging is enabled
this leads to irritating debug messages for every user or group lookup.
With this patch this subdomains are added to the idmap library.
Fixes https://fedorahosted.org/sssd/ticket/2105
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/ldap/sdap_idmap.c | 68 |
1 files changed, 44 insertions, 24 deletions
diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c index 18e1986ed..af69ee12c 100644 --- a/src/providers/ldap/sdap_idmap.c +++ b/src/providers/ldap/sdap_idmap.c @@ -329,6 +329,7 @@ sdap_idmap_add_domain(struct sdap_idmap_ctx *idmap_ctx, struct sss_idmap_range range; enum idmap_error_code err; id_t idmap_upper; + bool external_mapping = true; ret = sss_idmap_ctx_get_upper(idmap_ctx->map, &idmap_upper); if (ret != IDMAP_SUCCESS) { @@ -338,28 +339,39 @@ sdap_idmap_add_domain(struct sdap_idmap_ctx *idmap_ctx, goto done; } - ret = sss_idmap_calculate_range(idmap_ctx->map, dom_sid, &slice, &range); - if (ret != IDMAP_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Failed to calculate range for domain [%s]: [%d]\n", dom_name, - ret)); - ret = EIO; - goto done; - } - DEBUG(SSSDBG_TRACE_LIBS, - ("Adding domain [%s] as slice [%"SPRIid"]\n", dom_sid, slice)); - - if (range.max > idmap_upper) { - /* This should never happen */ - DEBUG(SSSDBG_CRIT_FAILURE, - ("BUG: Range maximum exceeds the global maximum: " - "%d > %"SPRIid"\n", range.max, idmap_upper)); - ret = EINVAL; - goto done; + if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_ID_MAPPING)) { + external_mapping = false; + ret = sss_idmap_calculate_range(idmap_ctx->map, dom_sid, &slice, &range); + if (ret != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Failed to calculate range for domain [%s]: [%d]\n", dom_name, + ret)); + ret = EIO; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, + ("Adding domain [%s] as slice [%"SPRIid"]\n", dom_sid, slice)); + + if (range.max > idmap_upper) { + /* This should never happen */ + DEBUG(SSSDBG_CRIT_FAILURE, + ("BUG: Range maximum exceeds the global maximum: " + "%u > %"SPRIid"\n", range.max, idmap_upper)); + ret = EINVAL; + goto done; + } + } else { + ret = sdap_idmap_get_configured_external_range(idmap_ctx, &range); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("sdap_idmap_get_configured_external_range failed.\n")); + return ret; + } } /* Add this domain to the map */ - err = sss_idmap_add_domain(idmap_ctx->map, dom_name, dom_sid, &range); + err = sss_idmap_add_domain_ex(idmap_ctx->map, dom_name, dom_sid, &range, + NULL, 0, external_mapping); if (err != IDMAP_SUCCESS) { DEBUG(SSSDBG_CRIT_FAILURE, ("Could not add domain [%s] to the map: [%d]\n", @@ -368,11 +380,19 @@ sdap_idmap_add_domain(struct sdap_idmap_ctx *idmap_ctx, goto done; } - /* Add this domain to the SYSDB cache so it will survive reboot */ - ret = sysdb_idmap_store_mapping(idmap_ctx->id_ctx->be->domain->sysdb, - idmap_ctx->id_ctx->be->domain, - dom_name, dom_sid, - slice); + /* If algorithmic mapping is used add this domain to the SYSDB cache so it + * will survive reboot */ + if (!external_mapping) { + ret = sysdb_idmap_store_mapping(idmap_ctx->id_ctx->be->domain->sysdb, + idmap_ctx->id_ctx->be->domain, + dom_name, dom_sid, + slice); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_idmap_store_mapping failed.\n")); + goto done; + } + } + done: return ret; } |