summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/responder/common/negcache.c207
-rw-r--r--src/responder/common/negcache.h8
-rw-r--r--src/responder/nss/nsssrv.c192
3 files changed, 220 insertions, 187 deletions
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index aef9080a8..521a2e76e 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -20,6 +20,7 @@
*/
#include "util/util.h"
+#include "confdb/confdb.h"
#include <fcntl.h>
#include <time.h>
#include "tdb.h"
@@ -319,3 +320,209 @@ int sss_ncache_reset_permament(struct sss_nc_ctx *ctx)
return EOK;
}
+
+errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ struct confdb_ctx *cdb,
+ struct sss_names_ctx *names_ctx,
+ struct sss_domain_info *domain_list)
+{
+ errno_t ret;
+ bool filter_set = false;
+ char **filter_list = NULL;
+ char *name = NULL;
+ struct sss_domain_info *dom = NULL;
+ char *domainname = NULL;
+ char *conf_path = NULL;
+ TALLOC_CTX *tmpctx = talloc_new(NULL);
+ int i;
+
+ /* Populate domain-specific negative cache entries */
+ for (dom = domain_list; dom; dom = dom->next) {
+ conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL,
+ dom->name);
+ if (!conf_path) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ talloc_zfree(filter_list);
+ ret = confdb_get_string_as_list(cdb, tmpctx, conf_path,
+ CONFDB_NSS_FILTER_USERS,
+ &filter_list);
+ if (ret == ENOENT) continue;
+ if (ret != EOK) goto done;
+ filter_set = true;
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+ ret = sss_parse_name(tmpctx, names_ctx, filter_list[i],
+ &domainname, &name);
+ if (ret != EOK) {
+ DEBUG(1, ("Invalid name in filterUsers list: [%s] (%d)\n",
+ filter_list[i], ret));
+ continue;
+ }
+
+ if (domainname && strcmp(domainname, dom->name)) {
+ DEBUG(1, ("Mismatch between domain name (%s) and name "
+ "set in FQN (%s), skipping user %s\n",
+ dom->name, domainname, name));
+ continue;
+ }
+
+ ret = sss_ncache_set_user(ncache, true, dom->name, name);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to store permanent user filter for [%s]"
+ " (%d [%s])\n", filter_list[i],
+ ret, strerror(ret)));
+ continue;
+ }
+ }
+ }
+
+ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_FILTER_USERS, &filter_list);
+ if (ret == ENOENT) {
+ if (!filter_set) {
+ filter_list = talloc_array(tmpctx, char *, 2);
+ if (!filter_list) {
+ ret = ENOMEM;
+ goto done;
+ }
+ filter_list[0] = talloc_strdup(tmpctx, "root");
+ if (!filter_list[0]) {
+ ret = ENOMEM;
+ goto done;
+ }
+ filter_list[1] = NULL;
+ }
+ ret = EOK;
+ }
+ else if (ret != EOK) goto done;
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+ ret = sss_parse_name(tmpctx, names_ctx, filter_list[i],
+ &domainname, &name);
+ if (ret != EOK) {
+ DEBUG(1, ("Invalid name in filterUsers list: [%s] (%d)\n",
+ filter_list[i], ret));
+ continue;
+ }
+ if (domainname) {
+ ret = sss_ncache_set_user(ncache, true, domainname, name);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to store permanent user filter for [%s]"
+ " (%d [%s])\n", filter_list[i],
+ ret, strerror(ret)));
+ continue;
+ }
+ } else {
+ for (dom = domain_list; dom; dom = dom->next) {
+ ret = sss_ncache_set_user(ncache, true, dom->name, name);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to store permanent user filter for"
+ " [%s:%s] (%d [%s])\n",
+ dom->name, filter_list[i],
+ ret, strerror(ret)));
+ continue;
+ }
+ }
+ }
+ }
+
+ filter_set = false;
+ for (dom = domain_list; dom; dom = dom->next) {
+ conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name);
+ if (!conf_path) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ talloc_zfree(filter_list);
+ ret = confdb_get_string_as_list(cdb, tmpctx, conf_path,
+ CONFDB_NSS_FILTER_GROUPS, &filter_list);
+ if (ret == ENOENT) continue;
+ if (ret != EOK) goto done;
+ filter_set = true;
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+ ret = sss_parse_name(tmpctx, names_ctx, filter_list[i],
+ &domainname, &name);
+ if (ret != EOK) {
+ DEBUG(1, ("Invalid name in filterGroups list: [%s] (%d)\n",
+ filter_list[i], ret));
+ continue;
+ }
+
+ if (domainname && strcmp(domainname, dom->name)) {
+ DEBUG(1, ("Mismatch betwen domain name (%s) and name "
+ "set in FQN (%s), skipping group %s\n",
+ dom->name, domainname, name));
+ continue;
+ }
+
+ ret = sss_ncache_set_group(ncache, true, dom->name, name);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to store permanent group filter for [%s]"
+ " (%d [%s])\n", filter_list[i],
+ ret, strerror(ret)));
+ continue;
+ }
+ }
+ }
+
+ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_FILTER_GROUPS, &filter_list);
+ if (ret == ENOENT) {
+ if (!filter_set) {
+ filter_list = talloc_array(tmpctx, char *, 2);
+ if (!filter_list) {
+ ret = ENOMEM;
+ goto done;
+ }
+ filter_list[0] = talloc_strdup(tmpctx, "root");
+ if (!filter_list[0]) {
+ ret = ENOMEM;
+ goto done;
+ }
+ filter_list[1] = NULL;
+ }
+ ret = EOK;
+ }
+ else if (ret != EOK) goto done;
+
+ for (i = 0; (filter_list && filter_list[i]); i++) {
+ ret = sss_parse_name(tmpctx, names_ctx, filter_list[i],
+ &domainname, &name);
+ if (ret != EOK) {
+ DEBUG(1, ("Invalid name in filterGroups list: [%s] (%d)\n",
+ filter_list[i], ret));
+ continue;
+ }
+ if (domainname) {
+ ret = sss_ncache_set_group(ncache, true, domainname, name);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to store permanent group filter for"
+ " [%s] (%d [%s])\n", filter_list[i],
+ ret, strerror(ret)));
+ continue;
+ }
+ } else {
+ for (dom = domain_list; dom; dom = dom->next) {
+ ret = sss_ncache_set_group(ncache, true, dom->name, name);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to store permanent group filter for"
+ " [%s:%s] (%d [%s])\n",
+ dom->name, filter_list[i],
+ ret, strerror(ret)));
+ continue;
+ }
+ }
+ }
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmpctx);
+ return ret;
+}
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
index d310c9e3d..68be9f02e 100644
--- a/src/responder/common/negcache.h
+++ b/src/responder/common/negcache.h
@@ -48,4 +48,12 @@ int sss_ncache_set_gid(struct sss_nc_ctx *ctx, bool permanent, gid_t gid);
int sss_ncache_reset_permament(struct sss_nc_ctx *ctx);
+/* Set up the negative cache with values from filter_users and
+ * filter_groups in the sssd.conf
+ */
+errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
+ struct confdb_ctx *cdb,
+ struct sss_names_ctx *names_ctx,
+ struct sss_domain_info *domain_list);
+
#endif /* _NSS_NEG_CACHE_H_ */
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index 24753674a..f14d698f2 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -67,12 +67,7 @@ static int nss_get_config(struct nss_ctx *nctx,
struct confdb_ctx *cdb)
{
TALLOC_CTX *tmpctx;
- struct sss_domain_info *dom;
- const char *conf_path;
- char *domain, *name;
- char **filter_list = NULL;
- int ret, i;
- bool filter_set;
+ int ret;
tmpctx = talloc_new(nctx);
if (!tmpctx) return ENOMEM;
@@ -92,7 +87,6 @@ static int nss_get_config(struct nss_ctx *nctx,
&nctx->filter_users_in_groups);
if (ret != EOK) goto done;
-
ret = confdb_get_int(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE, 0,
&nctx->cache_refresh_percent);
@@ -104,186 +98,10 @@ static int nss_get_config(struct nss_ctx *nctx,
nctx->cache_refresh_percent = 0;
}
- filter_set = false;
- for (dom = rctx->domains; dom; dom = dom->next) {
- conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name);
- if (!conf_path) {
- ret = ENOMEM;
- goto done;
- }
-
- talloc_zfree(filter_list);
- ret = confdb_get_string_as_list(cdb, tmpctx, conf_path,
- CONFDB_NSS_FILTER_USERS, &filter_list);
- if (ret == ENOENT) continue;
- if (ret != EOK) goto done;
- filter_set = true;
-
- for (i = 0; (filter_list && filter_list[i]); i++) {
- ret = sss_parse_name(tmpctx, nctx->rctx->names,
- filter_list[i], &domain, &name);
- if (ret != EOK) {
- DEBUG(1, ("Invalid name in filterUsers list: [%s] (%d)\n",
- filter_list[i], ret));
- continue;
- }
-
- if (domain && strcmp(domain, dom->name)) {
- DEBUG(1, ("Mismatch betwen domain name (%s) and name "
- "set in FQN (%s), skipping user %s\n",
- dom->name, domain, name));
- continue;
- }
-
- ret = sss_ncache_set_user(nctx->ncache, true, dom->name, name);
- if (ret != EOK) {
- DEBUG(1, ("Failed to store permanent user filter for [%s]"
- " (%d [%s])\n", filter_list[i],
- ret, strerror(ret)));
- continue;
- }
- }
- }
-
- ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
- CONFDB_NSS_FILTER_USERS, &filter_list);
- if (ret == ENOENT) {
- if (!filter_set) {
- filter_list = talloc_array(tmpctx, char *, 2);
- if (!filter_list) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[0] = talloc_strdup(tmpctx, "root");
- if (!filter_list[0]) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[1] = NULL;
- }
- ret = EOK;
- }
- else if (ret != EOK) goto done;
-
- for (i = 0; (filter_list && filter_list[i]); i++) {
- ret = sss_parse_name(tmpctx, nctx->rctx->names,
- filter_list[i], &domain, &name);
- if (ret != EOK) {
- DEBUG(1, ("Invalid name in filterUsers list: [%s] (%d)\n",
- filter_list[i], ret));
- continue;
- }
- if (domain) {
- ret = sss_ncache_set_user(nctx->ncache, true, domain, name);
- if (ret != EOK) {
- DEBUG(1, ("Failed to store permanent user filter for [%s]"
- " (%d [%s])\n", filter_list[i],
- ret, strerror(ret)));
- continue;
- }
- } else {
- for (dom = rctx->domains; dom; dom = dom->next) {
- ret = sss_ncache_set_user(nctx->ncache, true, dom->name, name);
- if (ret != EOK) {
- DEBUG(1, ("Failed to store permanent user filter for"
- " [%s:%s] (%d [%s])\n",
- dom->name, filter_list[i],
- ret, strerror(ret)));
- continue;
- }
- }
- }
- }
-
- filter_set = false;
- for (dom = rctx->domains; dom; dom = dom->next) {
- conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name);
- if (!conf_path) {
- ret = ENOMEM;
- goto done;
- }
-
- talloc_zfree(filter_list);
- ret = confdb_get_string_as_list(cdb, tmpctx, conf_path,
- CONFDB_NSS_FILTER_GROUPS, &filter_list);
- if (ret == ENOENT) continue;
- if (ret != EOK) goto done;
- filter_set = true;
-
- for (i = 0; (filter_list && filter_list[i]); i++) {
- ret = sss_parse_name(tmpctx, nctx->rctx->names,
- filter_list[i], &domain, &name);
- if (ret != EOK) {
- DEBUG(1, ("Invalid name in filterGroups list: [%s] (%d)\n",
- filter_list[i], ret));
- continue;
- }
-
- if (domain && strcmp(domain, dom->name)) {
- DEBUG(1, ("Mismatch betwen domain name (%s) and name "
- "set in FQN (%s), skipping group %s\n",
- dom->name, domain, name));
- continue;
- }
-
- ret = sss_ncache_set_group(nctx->ncache, true, dom->name, name);
- if (ret != EOK) {
- DEBUG(1, ("Failed to store permanent group filter for [%s]"
- " (%d [%s])\n", filter_list[i],
- ret, strerror(ret)));
- continue;
- }
- }
- }
-
- ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
- CONFDB_NSS_FILTER_GROUPS, &filter_list);
- if (ret == ENOENT) {
- if (!filter_set) {
- filter_list = talloc_array(tmpctx, char *, 2);
- if (!filter_list) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[0] = talloc_strdup(tmpctx, "root");
- if (!filter_list[0]) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[1] = NULL;
- }
- ret = EOK;
- }
- else if (ret != EOK) goto done;
-
- for (i = 0; (filter_list && filter_list[i]); i++) {
- ret = sss_parse_name(tmpctx, nctx->rctx->names,
- filter_list[i], &domain, &name);
- if (ret != EOK) {
- DEBUG(1, ("Invalid name in filterGroups list: [%s] (%d)\n",
- filter_list[i], ret));
- continue;
- }
- if (domain) {
- ret = sss_ncache_set_group(nctx->ncache, true, domain, name);
- if (ret != EOK) {
- DEBUG(1, ("Failed to store permanent group filter for"
- " [%s] (%d [%s])\n", filter_list[i],
- ret, strerror(ret)));
- continue;
- }
- } else {
- for (dom = rctx->domains; dom; dom = dom->next) {
- ret = sss_ncache_set_group(nctx->ncache, true, dom->name, name);
- if (ret != EOK) {
- DEBUG(1, ("Failed to store permanent group filter for"
- " [%s:%s] (%d [%s])\n",
- dom->name, filter_list[i],
- ret, strerror(ret)));
- continue;
- }
- }
- }
+ ret = sss_ncache_prepopulate(nctx->ncache, cdb, nctx->rctx->names,
+ nctx->rctx->domains);
+ if (ret != EOK) {
+ goto done;
}
ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,