diff options
Diffstat (limited to 'src/providers/ipa/ipa_idmap.c')
-rw-r--r-- | src/providers/ipa/ipa_idmap.c | 246 |
1 files changed, 99 insertions, 147 deletions
diff --git a/src/providers/ipa/ipa_idmap.c b/src/providers/ipa/ipa_idmap.c index eaca0ed3c..a65086af4 100644 --- a/src/providers/ipa/ipa_idmap.c +++ b/src/providers/ipa/ipa_idmap.c @@ -156,9 +156,68 @@ done: return ret; } -errno_t ipa_idmap_find_new_domain(struct sdap_idmap_ctx *idmap_ctx, - const char *dom_name, - const char *dom_sid_str) +errno_t get_idmap_data_from_range(struct range_info *r, char *domain_name, + char **_name, char **_sid, uint32_t *_rid, + struct sss_idmap_range *_range, + bool *_external_mapping) +{ + if (r->range_type == NULL) { + /* Older IPA servers might not have the range_type attribute, but + * only support local ranges and trusts with algorithmic mapping. */ + + if (r->trusted_dom_sid == NULL && r->secondary_base_rid != 0) { + /* local IPA domain */ + *_rid = 0; + *_external_mapping = true; + *_name = domain_name; + *_sid = NULL; + } else if (r->trusted_dom_sid != NULL + && r->secondary_base_rid == 0) { + /* trusted domain */ + *_rid = r->base_rid; + *_external_mapping = false; + *_name = r->trusted_dom_sid; + *_sid = r->trusted_dom_sid; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, ("Cannot determine range type, " \ + "for id range [%s].\n", + r->name)); + return EINVAL; + } + } else { + if (strcmp(r->range_type, IPA_RANGE_LOCAL) == 0) { + *_rid = 0; + *_external_mapping = true; + *_name = domain_name; + *_sid = NULL; + } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST_POSIX) == 0) { + *_rid = 0; + *_external_mapping = true; + *_name = r->trusted_dom_sid; + *_sid = r->trusted_dom_sid; + } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST) == 0) { + *_rid = r->base_rid; + *_external_mapping = false; + *_name = r->trusted_dom_sid; + *_sid = r->trusted_dom_sid; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, ("Range type [%s] of id range " \ + "[%s] not supported.\n", \ + r->range_type, r->name)); + return EINVAL; + } + } + + _range->min = r->base_id; + _range->max = r->base_id + r->id_range_size -1; + + return EOK; +} + +errno_t ipa_idmap_get_ranges_from_sysdb(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str, + bool allow_collisions) { int ret; size_t range_count; @@ -166,7 +225,6 @@ errno_t ipa_idmap_find_new_domain(struct sdap_idmap_ctx *idmap_ctx, TALLOC_CTX *tmp_ctx; size_t c; enum idmap_error_code err; - struct range_info *r; struct sss_idmap_range range; uint32_t rid; bool external_mapping; @@ -187,72 +245,37 @@ errno_t ipa_idmap_find_new_domain(struct sdap_idmap_ctx *idmap_ctx, } for (c = 0; c < range_count; c++) { - r = range_list[c]; - - if (r->range_type == NULL) { - /* Older IPA servers might not have the range_type attribute, but - * only support local ranges and trusts with algorithmic mapping. */ - - if (r->trusted_dom_sid == NULL && r->secondary_base_rid != 0) { - /* local IPA domain */ - rid = 0; - external_mapping = true; - name = idmap_ctx->id_ctx->be->domain->name; - sid = NULL; - } else if (r->trusted_dom_sid != NULL - && r->secondary_base_rid == 0) { - /* trusted domain */ - rid = r->base_rid; - external_mapping = false; - name = r->trusted_dom_sid; - sid = r->trusted_dom_sid; - } else { - DEBUG(SSSDBG_MINOR_FAILURE, ("Cannot determine range type, " \ - "skipping id ange [%s].\n", - r->name)); - continue; - } - } else { - if (strcmp(r->range_type, IPA_RANGE_LOCAL) == 0) { - rid = 0; - external_mapping = true; - name = idmap_ctx->id_ctx->be->domain->name; - sid = NULL; - } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST_POSIX) == 0) { - rid = 0; - external_mapping = true; - name = r->trusted_dom_sid; - sid = r->trusted_dom_sid; - } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST) == 0) { - rid = r->base_rid; - external_mapping = false; - name = r->trusted_dom_sid; - sid = r->trusted_dom_sid; - } else { - DEBUG(SSSDBG_MINOR_FAILURE, ("Range type [%s] not supported, " \ - "skipping id range [%s].\n", - r->range_type, r->name)); - continue; - } + ret = get_idmap_data_from_range(range_list[c], + idmap_ctx->id_ctx->be->domain->name, + &name, &sid, &rid, &range, + &external_mapping); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("get_idmap_data_from_range failed for " \ + "id range [%s], skipping.\n", + range_list[c]->name)); + continue; } - range.min = r->base_id; - range.max = r->base_id + r->id_range_size -1; err = sss_idmap_add_domain_ex(idmap_ctx->map, name, sid, &range, - r->name, rid, external_mapping); - if (err != IDMAP_SUCCESS && err != IDMAP_COLLISION) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Could not add range [%s] to ID map\n", - r->name)); - ret = EIO; - goto done; + range_list[c]->name, rid, + external_mapping); + if (err != IDMAP_SUCCESS) { + if (!allow_collisions || err != IDMAP_COLLISION) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Could not add range [%s] to ID map\n", + range_list[c]->name)); + ret = EIO; + goto done; + } } } - ret = ipa_idmap_check_posix_child(idmap_ctx, dom_name, dom_sid_str, - range_count, range_list); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("ipa_idmap_check_posix_child failed.\n")); - goto done; + if (dom_name != NULL || dom_sid_str != NULL) { + ret = ipa_idmap_check_posix_child(idmap_ctx, dom_name, dom_sid_str, + range_count, range_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("ipa_idmap_check_posix_child failed.\n")); + goto done; + } } ret = EOK; @@ -263,6 +286,14 @@ done: return ret; } +errno_t ipa_idmap_find_new_domain(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str) +{ + return ipa_idmap_get_ranges_from_sysdb(idmap_ctx, dom_name, dom_sid_str, + true); +} + errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx, struct sdap_idmap_ctx **_idmap_ctx) @@ -270,17 +301,7 @@ errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx, errno_t ret; TALLOC_CTX *tmp_ctx; enum idmap_error_code err; - size_t c; struct sdap_idmap_ctx *idmap_ctx = NULL; - struct sysdb_ctx *sysdb = id_ctx->be->domain->sysdb; - size_t range_count; - struct range_info **range_list; - struct range_info *r; - struct sss_idmap_range range; - uint32_t rid; - bool external_mapping; - char *name; - char *sid; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return ENOMEM; @@ -309,82 +330,13 @@ errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx, goto done; } - - /* Read in any existing mappings from the cache */ - ret = sysdb_get_ranges(tmp_ctx, sysdb, &range_count, &range_list); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_FATAL_FAILURE, - ("Could not read ranges from the cache: [%s]\n", - strerror(ret))); + ret = ipa_idmap_get_ranges_from_sysdb(idmap_ctx, NULL, NULL, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("ipa_idmap_get_ranges_from_sysdb failed.\n")); goto done; } - DEBUG(SSSDBG_CONF_SETTINGS, - ("Initializing [%zu] domains for ID-mapping\n", range_count)); - - for (c = 0; c < range_count; c++) { - - r = range_list[c]; - - if (r->range_type == NULL) { - /* Older IPA servers might not have the range_type attribute, but - * only support local ranges and trusts with algorithmic mapping. */ - - if (r->trusted_dom_sid == NULL && r->secondary_base_rid != 0) { - /* local IPA domain */ - rid = 0; - external_mapping = true; - sid = NULL; - name = id_ctx->be->domain->name; - } else if (r->trusted_dom_sid != NULL - && r->secondary_base_rid == 0) { - /* trusted domain */ - rid = r->base_rid; - external_mapping = false; - sid = r->trusted_dom_sid; - name = sid; - } else { - DEBUG(SSSDBG_MINOR_FAILURE, ("Cannot determine range type, " \ - "skipping id ange [%s].\n", - r->name)); - continue; - } - } else { - if (strcmp(r->range_type, IPA_RANGE_LOCAL) == 0) { - rid = 0; - external_mapping = true; - sid = NULL; - name = id_ctx->be->domain->name; - } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST_POSIX) == 0) { - rid = 0; - external_mapping = true; - sid = r->trusted_dom_sid; - name = sid; - } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST) == 0) { - rid = r->base_rid; - external_mapping = false; - sid = r->trusted_dom_sid; - name = sid; - } else { - DEBUG(SSSDBG_MINOR_FAILURE, ("Range type [%s] not supported, " \ - "skipping id range [%s].\n", - r->range_type, r->name)); - continue; - } - } - - range.min = r->base_id; - range.max = r->base_id + r->id_range_size -1; - err = sss_idmap_add_domain_ex(idmap_ctx->map, name, sid, &range, - r->name, rid, external_mapping); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Could not add range [%s] to ID map\n", - r->name)); - ret = EIO; - goto done; - } - } - *_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx); ret = EOK; |