summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/providers/ldap/sdap_async_initgroups.c712
1 files changed, 366 insertions, 346 deletions
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 521f5daf7..6df1dcd73 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -1040,17 +1040,37 @@ static int sdap_initgr_nested_recv(struct tevent_req *req)
}
/* ==Initgr-call-(groups-a-user-is-member-of)-RFC2307-BIS================= */
+struct sdap_initgr_rfc2307bis_state {
+ struct tevent_context *ev;
+ struct sysdb_ctx *sysdb;
+ struct sdap_options *opts;
+ struct sss_domain_info *dom;
+ struct sdap_handle *sh;
+ const char *name;
+
+ struct sdap_op *op;
+
+ hash_table_t *group_hash;
+ size_t num_direct_parents;
+ struct sysdb_attrs **direct_groups;
+};
+
+struct sdap_nested_group {
+ struct sysdb_attrs *group;
+ struct sysdb_attrs **ldap_parents;
+ size_t parents_count;
+};
static void sdap_initgr_rfc2307bis_process(struct tevent_req *subreq);
static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq);
errno_t save_rfc2307bis_user_memberships(
- struct sdap_initgr_rfc2307_state *state);
+ struct sdap_initgr_rfc2307bis_state *state);
struct tevent_req *rfc2307bis_nested_groups_send(
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
struct sdap_options *opts, struct sysdb_ctx *sysdb,
struct sss_domain_info *dom, struct sdap_handle *sh,
struct sysdb_attrs **groups, size_t num_groups,
- size_t nesting);
+ hash_table_t *group_hash, size_t nesting);
static errno_t rfc2307bis_nested_groups_recv(struct tevent_req *req);
static struct tevent_req *sdap_initgr_rfc2307bis_send(
@@ -1067,12 +1087,12 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
errno_t ret;
struct tevent_req *req;
struct tevent_req *subreq;
- struct sdap_initgr_rfc2307_state *state;
+ struct sdap_initgr_rfc2307bis_state *state;
const char *filter;
const char **attrs;
char *clean_orig_dn;
- req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307_state);
+ req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307bis_state);
if (!req) return NULL;
state->ev = ev;
@@ -1083,6 +1103,12 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
state->op = NULL;
state->name = name;
+ ret = sss_hash_create(state, 32, &state->group_hash);
+ if (ret != EOK) {
+ talloc_free(req);
+ return NULL;
+ }
+
ret = build_attrs_from_map(state, opts->group_map,
SDAP_OPTS_GROUP, &attrs);
if (ret != EOK) {
@@ -1127,22 +1153,22 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
static void sdap_initgr_rfc2307bis_process(struct tevent_req *subreq)
{
struct tevent_req *req;
- struct sdap_initgr_rfc2307_state *state;
+ struct sdap_initgr_rfc2307bis_state *state;
int ret;
req = tevent_req_callback_data(subreq, struct tevent_req);
- state = tevent_req_data(req, struct sdap_initgr_rfc2307_state);
+ state = tevent_req_data(req, struct sdap_initgr_rfc2307bis_state);
ret = sdap_get_generic_recv(subreq, state,
- &state->ldap_groups_count,
- &state->ldap_groups);
+ &state->num_direct_parents,
+ &state->direct_groups);
talloc_zfree(subreq);
if (ret) {
tevent_req_error(req, ret);
return;
}
- if (state->ldap_groups_count == 0) {
+ if (state->num_direct_parents == 0) {
/* Start a transaction to look up the groups in the sysdb
* and update them with LDAP data
*/
@@ -1157,8 +1183,9 @@ static void sdap_initgr_rfc2307bis_process(struct tevent_req *subreq)
subreq = rfc2307bis_nested_groups_send(state, state->ev, state->opts,
state->sysdb, state->dom,
- state->sh, state->ldap_groups,
- state->ldap_groups_count, 0);
+ state->sh, state->direct_groups,
+ state->num_direct_parents,
+ state->group_hash, 0);
if (!subreq) {
tevent_req_error(req, EIO);
return;
@@ -1166,13 +1193,20 @@ static void sdap_initgr_rfc2307bis_process(struct tevent_req *subreq)
tevent_req_set_callback(subreq, sdap_initgr_rfc2307bis_done, req);
}
+static errno_t
+save_rfc2307bis_groups(struct sdap_initgr_rfc2307bis_state *state);
+static errno_t
+save_rfc2307bis_group_memberships(struct sdap_initgr_rfc2307bis_state *state);
+
static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq)
{
errno_t ret;
struct tevent_req *req =
tevent_req_callback_data(subreq, struct tevent_req);
- struct sdap_initgr_rfc2307_state *state =
- tevent_req_data(req, struct sdap_initgr_rfc2307_state);
+ struct sdap_initgr_rfc2307bis_state *state =
+ tevent_req_data(req, struct sdap_initgr_rfc2307bis_state);
+ bool in_transaction = false;
+ errno_t tret;
ret = rfc2307bis_nested_groups_recv(subreq);
talloc_zfree(subreq);
@@ -1181,13 +1215,52 @@ static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq)
return;
}
+ ret = sysdb_transaction_start(state->sysdb);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to start transaction\n"));
+ goto fail;
+ }
+ in_transaction = true;
+
+ /* save the groups if they are not cached */
+ ret = save_rfc2307bis_groups(state);
+ if (ret != EOK) {
+ DEBUG(3, ("Could not save groups memberships [%d]", ret));
+ goto fail;
+ }
+
+ /* save the group membership */
+ ret = save_rfc2307bis_group_memberships(state);
+ if (ret != EOK) {
+ DEBUG(3, ("Could not save group memberships [%d]", ret));
+ goto fail;
+ }
+
/* save the user memberships */
ret = save_rfc2307bis_user_memberships(state);
if (ret != EOK) {
- tevent_req_error(req, ret);
- } else {
- tevent_req_done(req);
+ DEBUG(3, ("Could not save user memberships [%d]", ret));
+ goto fail;
}
+
+ ret = sysdb_transaction_commit(state->sysdb);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to commit transaction\n"));
+ goto fail;
+ }
+ in_transaction = false;
+
+ tevent_req_done(req);
+ return;
+
+fail:
+ if (in_transaction) {
+ tret = sysdb_transaction_cancel(state->sysdb);
+ if (tret != EOK) {
+ DEBUG(1, ("Failed to cancel transaction\n"));
+ }
+ }
+ tevent_req_error(req, ret);
return;
}
@@ -1197,109 +1270,228 @@ static int sdap_initgr_rfc2307bis_recv(struct tevent_req *req)
return EOK;
}
-errno_t save_rfc2307bis_user_memberships(
- struct sdap_initgr_rfc2307_state *state)
+struct rfc2307bis_group_memberships_state {
+ struct sysdb_ctx *sysdb;
+ struct sdap_options *opts;
+ struct sss_domain_info *dom;
+
+ hash_table_t *group_hash;
+
+ struct membership_diff *memberships;
+
+ int ret;
+};
+
+static errno_t
+save_rfc2307bis_groups(struct sdap_initgr_rfc2307bis_state *state)
{
- errno_t ret, tret;
- char *member_dn;
- char *sanitized_dn;
- char *filter;
- const char **attrs;
- size_t reply_count, i;
- struct ldb_message **replies;
- char **ldap_grouplist;
- char **sysdb_grouplist;
- char **add_groups;
- char **del_groups;
- const char *tmp_str;
- bool in_transaction = false;
+ struct sysdb_attrs **groups = NULL;
+ unsigned long count;
+ hash_value_t *values;
+ int hret, i;
+ errno_t ret;
+ TALLOC_CTX *tmp_ctx;
+ struct sdap_nested_group *gr;
- TALLOC_CTX *tmp_ctx = talloc_new(NULL);
- if(!tmp_ctx) {
- return ENOMEM;
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ hret = hash_values(state->group_hash, &count, &values);
+ if (hret != HASH_SUCCESS) {
+ ret = EIO;
+ goto done;
}
- DEBUG(7, ("Save parent groups to sysdb\n"));
- ret = sysdb_transaction_start(state->sysdb);
+ groups = talloc_array(tmp_ctx, struct sysdb_attrs *, count);
+ if (!groups) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (i = 0; i < count; i++) {
+ gr = talloc_get_type(values[i].ptr,
+ struct sdap_nested_group);
+ groups[i] = gr->group;
+ }
+ talloc_zfree(values);
+
+ ret = sdap_nested_groups_store(state->sysdb, state->dom, state->opts,
+ groups, count);
if (ret != EOK) {
- goto error;
+ DEBUG(3, ("Could not save groups [%d]: %s\n",
+ ret, strerror(ret)));
+ goto done;
}
- in_transaction = true;
- /* Save this user and their memberships */
- attrs = talloc_array(tmp_ctx, const char *, 2);
- if (!attrs) {
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static bool rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data);
+
+static errno_t
+save_rfc2307bis_group_memberships(struct sdap_initgr_rfc2307bis_state *state)
+{
+ errno_t ret, tret;
+ int hret;
+ TALLOC_CTX *tmp_ctx;
+ struct rfc2307bis_group_memberships_state *membership_state;
+ struct membership_diff *iter;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ membership_state = talloc_zero(tmp_ctx,
+ struct rfc2307bis_group_memberships_state);
+ if (!membership_state) {
ret = ENOMEM;
- goto error;
+ goto done;
}
- attrs[0] = SYSDB_NAME;
- attrs[1] = NULL;
+ membership_state->sysdb = state->sysdb;
+ membership_state->dom = state->dom;
+ membership_state->opts = state->opts;
+ membership_state->group_hash = state->group_hash;
- member_dn = sysdb_user_strdn(tmp_ctx, state->dom->name, state->name);
- if (!member_dn) {
- ret = ENOMEM;
- goto error;
+ hret = hash_iterate(state->group_hash,
+ rfc2307bis_group_memberships_build,
+ membership_state);
+ if (hret != HASH_SUCCESS) {
+ ret = membership_state->ret;
+ goto done;
}
- ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
+
+ ret = sysdb_transaction_start(state->sysdb);
if (ret != EOK) {
- goto error;
+ DEBUG(1, ("Failed to start transaction\n"));
+ goto done;
}
- talloc_free(member_dn);
- filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn);
- if (!filter) {
+ DLIST_FOR_EACH(iter, membership_state->memberships) {
+ ret = sysdb_update_members(state->sysdb, iter->name,
+ SYSDB_MEMBER_GROUP,
+ (const char *const *) iter->add,
+ (const char *const *) iter->del);
+ if (ret != EOK) {
+ tret = sysdb_transaction_cancel(state->sysdb);
+ if (tret != EOK) {
+ DEBUG(1, ("Failed to cancel transaction\n"));
+ }
+ goto done;
+ }
+ }
+
+ ret = sysdb_transaction_commit(state->sysdb);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to commit transaction\n"));
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static bool
+rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data)
+{
+ struct rfc2307bis_group_memberships_state *mstate = talloc_get_type(
+ user_data, struct rfc2307bis_group_memberships_state);
+ struct sdap_nested_group *group;
+ char *group_name;
+ TALLOC_CTX *tmp_ctx;
+ errno_t ret;
+ char **sysdb_parents_names_list;
+ char **ldap_parents_names_list = NULL;
+
+ struct membership_diff *mdiff;
+
+ group_name = (char *) item->key.str;
+ group = (struct sdap_nested_group *) item->value.ptr;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
ret = ENOMEM;
- goto error;
+ goto done;
}
- talloc_free(sanitized_dn);
- ret = sysdb_search_groups(tmp_ctx, state->sysdb, filter, attrs,
- &reply_count, &replies);
- if (ret != EOK && ret != ENOENT) {
- goto error;
- } if (ret == ENOENT) {
- reply_count = 0;
+ ret = sysdb_get_direct_parents(tmp_ctx, mstate->sysdb, mstate->dom,
+ SYSDB_MEMBER_GROUP,
+ group_name, &sysdb_parents_names_list);
+ if (ret) {
+ DEBUG(1, ("Could not get direct sysdb parents for %s: %d [%s]\n",
+ group_name, ret, strerror(ret)));
+ goto done;
}
- if (reply_count == 0) {
- DEBUG(6, ("User [%s] is not a direct member of any groups\n",
- state->name));
- sysdb_grouplist = NULL;
- } else {
- sysdb_grouplist = talloc_array(tmp_ctx, char *, reply_count+1);
- if (!sysdb_grouplist) {
- ret = ENOMEM;
- goto error;
+ if (group->parents_count > 0) {
+ ret = sysdb_attrs_primary_name_list(mstate->sysdb, tmp_ctx,
+ group->ldap_parents, group->parents_count,
+ mstate->opts->group_map[SDAP_AT_GROUP_NAME].name,
+ &ldap_parents_names_list);
+ if (ret != EOK) {
+ goto done;
}
+ }
- for (i = 0; i < reply_count; i++) {
- tmp_str = ldb_msg_find_attr_as_string(replies[i],
- SYSDB_NAME,
- NULL);
- if (!tmp_str) {
- /* This should never happen, but if it
- * does, just skip it.
- */
- continue;
- }
+ ret = build_membership_diff(tmp_ctx, group_name, ldap_parents_names_list,
+ sysdb_parents_names_list, &mdiff);
+ if (ret != EOK) {
+ DEBUG(3, ("Could not build membership diff for %s [%d]: %s\n",
+ group_name, ret, strerror(ret)));
+ goto done;
+ }
- sysdb_grouplist[i] = talloc_strdup(sysdb_grouplist, tmp_str);
- if (!sysdb_grouplist[i]) {
- ret = ENOMEM;
- goto error;
- }
- }
- sysdb_grouplist[i] = NULL;
+ talloc_steal(mstate, mdiff);
+ DLIST_ADD(mstate->memberships, mdiff);
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+ mstate->ret = ret;
+ return ret == EOK ? true : false;
+}
+
+errno_t save_rfc2307bis_user_memberships(
+ struct sdap_initgr_rfc2307bis_state *state)
+{
+ errno_t ret, tret;
+ char **ldap_grouplist;
+ char **sysdb_parent_name_list;
+ char **add_groups;
+ char **del_groups;
+ bool in_transaction = false;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if(!tmp_ctx) {
+ return ENOMEM;
}
- if (state->ldap_groups_count == 0) {
+ DEBUG(7, ("Save parent groups to sysdb\n"));
+ ret = sysdb_transaction_start(state->sysdb);
+ if (ret != EOK) {
+ goto error;
+ }
+ in_transaction = true;
+
+ ret = sysdb_get_direct_parents(tmp_ctx, state->sysdb, state->dom,
+ SYSDB_MEMBER_USER,
+ state->name, &sysdb_parent_name_list);
+ if (ret) {
+ DEBUG(1, ("Could not get direct sysdb parents for %s: %d [%s]\n",
+ state->name, ret, strerror(ret)));
+ goto error;
+ }
+
+ if (state->num_direct_parents == 0) {
ldap_grouplist = NULL;
}
else {
ret = sysdb_attrs_primary_name_list(
state->sysdb, tmp_ctx,
- state->ldap_groups, state->ldap_groups_count,
+ state->direct_groups, state->num_direct_parents,
state->opts->group_map[SDAP_AT_GROUP_NAME].name,
&ldap_grouplist);
if (ret != EOK) {
@@ -1312,7 +1504,7 @@ errno_t save_rfc2307bis_user_memberships(
* groups in the sysdb only must be removed.
*/
ret = diff_string_lists(tmp_ctx,
- ldap_grouplist, sysdb_grouplist,
+ ldap_grouplist, sysdb_parent_name_list,
&add_groups, &del_groups, NULL);
if (ret != EOK) {
goto error;
@@ -1356,8 +1548,11 @@ struct sdap_rfc2307bis_nested_ctx {
size_t nesting_level;
size_t group_iter;
- struct sysdb_attrs **ldap_groups;
- size_t ldap_groups_count;
+ struct sysdb_attrs **ldap_parents;
+ size_t parents_count;
+
+ hash_table_t *group_hash;
+ const char *primary_name;
struct sysdb_handle *handle;
};
@@ -1368,7 +1563,7 @@ struct tevent_req *rfc2307bis_nested_groups_send(
struct sdap_options *opts, struct sysdb_ctx *sysdb,
struct sss_domain_info *dom, struct sdap_handle *sh,
struct sysdb_attrs **groups, size_t num_groups,
- size_t nesting)
+ hash_table_t *group_hash, size_t nesting)
{
errno_t ret;
struct tevent_req *req;
@@ -1395,29 +1590,33 @@ struct tevent_req *rfc2307bis_nested_groups_send(
state->num_groups = num_groups;
state->group_iter = 0;
state->nesting_level = nesting;
+ state->group_hash = group_hash;
ret = rfc2307bis_nested_groups_step(req);
- if (ret != EOK) {
+ if (ret == EOK) {
+ /* All parent groups were already processed */
+ tevent_req_done(req);
+ tevent_req_post(req, ev);
+ } else if (ret != EAGAIN) {
tevent_req_error(req, ret);
tevent_req_post(req, ev);
}
+
+ /* EAGAIN means a lookup is in progress */
return req;
}
static void rfc2307bis_nested_groups_process(struct tevent_req *subreq);
static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
{
- errno_t ret, tret;
+ errno_t ret;
struct tevent_req *subreq;
- const char *name;
- struct sysdb_attrs **grouplist;
- char **groupnamelist;
- bool in_transaction = false;
TALLOC_CTX *tmp_ctx = NULL;
char *filter;
const char *orig_dn;
const char **attrs;
char *clean_orig_dn;
+ hash_key_t key;
struct sdap_rfc2307bis_nested_ctx *state =
tevent_req_data(req, struct sdap_rfc2307bis_nested_ctx);
@@ -1431,55 +1630,24 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
state->sysdb,
state->groups[state->group_iter],
state->opts->group_map[SDAP_AT_GROUP_NAME].name,
- &name);
+ &state->primary_name);
if (ret != EOK) {
goto error;
}
- DEBUG(6, ("Processing group [%s]\n", name));
-
- ret = sysdb_transaction_start(state->sysdb);
- if (ret != EOK) {
- goto error;
- }
- in_transaction = true;
-
- /* First, save the group we're processing to the sysdb
- * sdap_add_incomplete_groups_send will add them if needed
- */
-
- /* sdap_add_incomplete_groups_send expects a list of groups */
- grouplist = talloc_array(tmp_ctx, struct sysdb_attrs *, 1);
- if (!grouplist) {
- ret = ENOMEM;
- goto error;
- }
- grouplist[0] = state->groups[state->group_iter];
-
- groupnamelist = talloc_array(tmp_ctx, char *, 2);
- if (!groupnamelist) {
+ key.type = HASH_KEY_STRING;
+ key.str = talloc_strdup(state, state->primary_name);
+ if (!key.str) {
ret = ENOMEM;
goto error;
}
- groupnamelist[0] = talloc_strdup(groupnamelist, name);
- if (!groupnamelist[0]) {
- ret = ENOMEM;
- goto error;
- }
- groupnamelist[1] = NULL;
- DEBUG(6, ("Saving incomplete group [%s] to the sysdb\n",
- groupnamelist[0]));
- ret = sdap_add_incomplete_groups(state->sysdb, state->opts,
- state->dom, groupnamelist,
- grouplist, 1);
- if (ret != EOK) {
- goto error;
- }
+ DEBUG(6, ("Processing group [%s]\n", state->primary_name));
- ret = sysdb_transaction_commit(state->sysdb);
- if (ret != EOK) {
- goto error;
+ if (hash_has_key(state->group_hash, &key)) {
+ talloc_free(key.str);
+ talloc_free(tmp_ctx);
+ return EOK;
}
/* Get any parent groups for this group */
@@ -1496,7 +1664,7 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
goto error;
}
- ret = sss_filter_sanitize(state, orig_dn, &clean_orig_dn);
+ ret = sss_filter_sanitize(tmp_ctx, orig_dn, &clean_orig_dn);
if (ret != EOK) {
goto error;
}
@@ -1532,22 +1700,13 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
rfc2307bis_nested_groups_process,
req);
- return EOK;
+ return EAGAIN;
error:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(state->sysdb);
- if (tret != EOK) {
- DEBUG(1, ("Failed to cancel transaction\n"));
- }
- }
-
talloc_free(tmp_ctx);
return ret;
}
-static errno_t rfc2307bis_nested_groups_update_sysdb(
- struct sdap_rfc2307bis_nested_ctx *state);
static void rfc2307bis_nested_groups_done(struct tevent_req *subreq);
static void rfc2307bis_nested_groups_process(struct tevent_req *subreq)
{
@@ -1556,35 +1715,63 @@ static void rfc2307bis_nested_groups_process(struct tevent_req *subreq)
tevent_req_callback_data(subreq, struct tevent_req);
struct sdap_rfc2307bis_nested_ctx *state =
tevent_req_data(req, struct sdap_rfc2307bis_nested_ctx);
+ struct sdap_nested_group *ngr;
+ hash_value_t value;
+ hash_key_t key;
+ int hret;
ret = sdap_get_generic_recv(subreq, state,
- &state->ldap_groups_count,
- &state->ldap_groups);
+ &state->parents_count,
+ &state->ldap_parents);
talloc_zfree(subreq);
if (ret) {
tevent_req_error(req, ret);
return;
}
- if (state->ldap_groups_count == 0) {
- /* No parent groups for this group in LDAP
- * We need to ensure that there are no groups
- * in the sysdb either.
- */
+ ngr = talloc_zero(state->group_hash, struct sdap_nested_group);
+ if (!ngr) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
- ret = rfc2307bis_nested_groups_update_sysdb(state);
- if (ret != EOK) {
- tevent_req_error(req, ret);
- return;
- }
+ ngr->group = talloc_steal(ngr, state->groups[state->group_iter]);
+ ngr->ldap_parents = talloc_steal(ngr, state->ldap_parents);
+ ngr->parents_count = state->parents_count;
+
+ key.type = HASH_KEY_STRING;
+ key.str = talloc_strdup(state, state->primary_name);
+ if (!key.str) {
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+
+ value.type = HASH_VALUE_PTR;
+ value.ptr = ngr;
+
+ hret = hash_enter(state->group_hash, &key, &value);
+ if (hret != HASH_SUCCESS) {
+ talloc_free(key.str);
+ tevent_req_error(req, EIO);
+ return;
+ }
+ talloc_free(key.str);
+ if (state->parents_count == 0) {
+ /* No parent groups for this group in LDAP
+ * Move on to the next group
+ */
state->group_iter++;
if (state->group_iter < state->num_groups) {
- ret = rfc2307bis_nested_groups_step(req);
- if (ret != EOK) {
- tevent_req_error(req, ret);
- return;
- }
+ do {
+ ret = rfc2307bis_nested_groups_step(req);
+ if (ret != EOK && ret != EAGAIN) {
+ tevent_req_error(req, ret);
+ return;
+ }
+ } while (ret == EOK);
+ /* EOK means this group has already been processed
+ * in another level */
} else {
tevent_req_done(req);
}
@@ -1595,8 +1782,9 @@ static void rfc2307bis_nested_groups_process(struct tevent_req *subreq)
subreq = rfc2307bis_nested_groups_send(
state, state->ev, state->opts, state->sysdb,
state->dom, state->sh,
- state->ldap_groups,
- state->ldap_groups_count,
+ state->ldap_parents,
+ state->parents_count,
+ state->group_hash,
state->nesting_level+1);
if (!subreq) {
tevent_req_error(req, EIO);
@@ -1628,190 +1816,22 @@ static void rfc2307bis_nested_groups_done(struct tevent_req *subreq)
return;
}
- /* All of the parent groups have been added
- * Now add the memberships
- */
-
- ret = rfc2307bis_nested_groups_update_sysdb(state);
- if (ret != EOK) {
- tevent_req_error(req, ret);
- return;
- }
-
state->group_iter++;
if (state->group_iter < state->num_groups) {
- ret = rfc2307bis_nested_groups_step(req);
- if (ret != EOK) {
- tevent_req_error(req, ret);
- }
+ do {
+ ret = rfc2307bis_nested_groups_step(req);
+ if (ret != EOK && ret != EAGAIN) {
+ tevent_req_error(req, ret);
+ return;
+ }
+ } while (ret == EOK);
+ /* EOK means this group has already been processed
+ * in another level */
} else {
tevent_req_done(req);
}
}
-static errno_t rfc2307bis_nested_groups_update_sysdb(
- struct sdap_rfc2307bis_nested_ctx *state)
-{
- errno_t ret, tret;
- const char *name;
- bool in_transaction = false;
- char *member_dn;
- char *sanitized_dn;
- char *filter;
- const char **attrs;
- size_t reply_count, i;
- struct ldb_message **replies;
- char **sysdb_grouplist;
- char **ldap_grouplist;
- char **add_groups;
- char **del_groups;
- const char *tmp_str;
-
- TALLOC_CTX *tmp_ctx = talloc_new(state);
- if (!tmp_ctx) {
- return ENOMEM;
- }
-
- /* Start a transaction to look up the groups in the sysdb
- * and update them with LDAP data
- */
- ret = sysdb_transaction_start(state->sysdb);
- if (ret != EOK) {
- goto error;
- }
- in_transaction = true;
-
- ret = sysdb_attrs_primary_name(
- state->sysdb,
- state->groups[state->group_iter],
- state->opts->group_map[SDAP_AT_GROUP_NAME].name,
- &name);
- if (ret != EOK) {
- goto error;
- }
-
- DEBUG(6, ("Processing group [%s]\n", name));
-
- attrs = talloc_array(tmp_ctx, const char *, 2);
- if (!attrs) {
- ret = ENOMEM;
- goto error;
- }
- attrs[0] = SYSDB_NAME;
- attrs[1] = NULL;
-
- member_dn = sysdb_group_strdn(tmp_ctx, state->dom->name, name);
- if (!member_dn) {
- ret = ENOMEM;
- goto error;
- }
-
- ret = sss_filter_sanitize(tmp_ctx, member_dn, &sanitized_dn);
- if (ret != EOK) {
- goto error;
- }
- talloc_free(member_dn);
-
- filter = talloc_asprintf(tmp_ctx, "(member=%s)", sanitized_dn);
- if (!filter) {
- ret = ENOMEM;
- goto error;
- }
- talloc_free(sanitized_dn);
-
- ret = sysdb_search_groups(tmp_ctx, state->sysdb, filter, attrs,
- &reply_count, &replies);
- if (ret != EOK && ret != ENOENT) {
- goto error;
- } else if (ret == ENOENT) {
- reply_count = 0;
- }
-
- if (reply_count == 0) {
- DEBUG(6, ("Group [%s] is not a direct member of any groups\n", name));
- sysdb_grouplist = NULL;
- } else {
- sysdb_grouplist = talloc_array(tmp_ctx, char *, reply_count+1);
- if (!sysdb_grouplist) {
- ret = ENOMEM;
- goto error;
- }
-
- for (i = 0; i < reply_count; i++) {
- tmp_str = ldb_msg_find_attr_as_string(replies[i],
- SYSDB_NAME,
- NULL);
- if (!tmp_str) {
- /* This should never happen, but if it
- * does, just skip it.
- */
- continue;
- }
-
- sysdb_grouplist[i] = talloc_strdup(sysdb_grouplist, tmp_str);
- if (!sysdb_grouplist[i]) {
- ret = ENOMEM;
- goto error;
- }
- }
- sysdb_grouplist[i] = NULL;
- }
-
- if (state->ldap_groups_count == 0) {
- ldap_grouplist = NULL;
- }
- else {
- ret = sysdb_attrs_primary_name_list(
- state->sysdb, tmp_ctx,
- state->ldap_groups, state->ldap_groups_count,
- state->opts->group_map[SDAP_AT_GROUP_NAME].name,
- &ldap_grouplist);
- if (ret != EOK) {
- goto error;
- }
- }
-
- /* Find the differences between the sysdb and ldap lists
- * Groups in ldap only must be added to the sysdb;
- * groups in the sysdb only must be removed.
- */
- ret = diff_string_lists(state,
- ldap_grouplist, sysdb_grouplist,
- &add_groups, &del_groups, NULL);
- if (ret != EOK) {
- goto error;
- }
- talloc_free(ldap_grouplist);
- talloc_free(sysdb_grouplist);
-
- DEBUG(8, ("Updating memberships for %s\n", name));
- ret = sysdb_update_members(state->sysdb, name, SYSDB_MEMBER_GROUP,
- (const char *const *)add_groups,
- (const char *const *)del_groups);
- if (ret != EOK) {
- goto error;
- }
-
- ret = sysdb_transaction_commit(state->sysdb);
- if (ret != EOK) {
- goto error;
- }
- in_transaction = false;
-
- ret = EOK;
-
-error:
- if (in_transaction) {
- tret = sysdb_transaction_cancel(state->sysdb);
- if (tret != EOK) {
- DEBUG(1, ("Failed to cancel transaction\n"));
- }
- }
- talloc_free(tmp_ctx);
- return ret;
-}
-
-
/* ==Initgr-call-(groups-a-user-is-member-of)============================= */
struct sdap_get_initgr_state {