From 169fa5bd3edd34aa0db35681832bd7406e423c1b Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 1 Feb 2012 14:03:36 -0500 Subject: LDAP: Do not fail if RootDSE check cannot determine search bases https://fedorahosted.org/sssd/ticket/1152 --- src/providers/ipa/ipa_netgroups.c | 7 ++++++ src/providers/ldap/ldap_common.c | 5 ++--- src/providers/ldap/sdap.c | 7 +++++- src/providers/ldap/sdap_async_groups.c | 9 ++++++++ src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++++- src/providers/ldap/sdap_async_netgroups.c | 10 +++++++++ src/providers/ldap/sdap_async_services.c | 9 ++++++++ src/providers/ldap/sdap_async_users.c | 9 ++++++++ src/providers/ldap/sdap_sudo.c | 9 ++++++++ 9 files changed, 95 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index d61728f57..620f03cc8 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx, state->base_filter = filter; state->netgr_base_iter = 0; + if (!ipa_options->id->netgroup_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Netgroup lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sss_hash_create(state, 32, &state->new_netgroups); if (ret != EOK) goto done; ret = sss_hash_create(state, 32, &state->new_users); diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 786e06b3d..38bd1b4f3 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -572,9 +572,8 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx, dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE))); } } else { - /* FIXME: try to discover it later */ - DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n")); - return ENOENT; + DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later " + "connecting to the LDAP server.\n")); } ret = sdap_parse_search_base(opts, opts->basic, diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 8a118150b..27cffd79a 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -754,7 +754,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, naming_context = get_naming_context(opts->basic, rootdse); if (naming_context == NULL) { DEBUG(1, ("get_naming_context failed.\n")); - ret = EINVAL; + + /* This has to be non-fatal, since some servers offer + * multiple namingContexts entries. We will just + * add NULL checks for the search bases in the lookups. + */ + ret = EOK; goto done; } } diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index e59640997..fe5dbd49a 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = search_bases; + if (!search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Group lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_groups_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 73ab25ea7..a769b1005 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = opts->group_search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a group search base\n")); + ret = EINVAL; + goto done; + } + state->name = talloc_strdup(state, name); if (!state->name) { talloc_zfree(req); @@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, talloc_zfree(clean_name); ret = sdap_initgr_rfc2307_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); @@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( state->base_iter = 0; state->search_bases = opts->group_search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a group search base\n")); + ret = EINVAL; + goto done; + } + ret = sss_hash_create(state, 32, &state->group_hash); if (ret != EOK) { talloc_free(req); @@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send( SDAP_SEARCH_TIMEOUT); state->base_iter = 0; state->search_bases = opts->group_search_bases; - + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups nested lookup request " + "without a group search base\n")); + ret = EINVAL; + goto done; + } ret = rfc2307bis_nested_groups_step(req); + +done: if (ret == EOK) { /* All parent groups were already processed */ tevent_req_done(req); @@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); state->user_base_iter = 0; state->user_search_bases = id_ctx->opts->user_search_bases; + if (!state->user_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a user search base\n")); + ret = EINVAL; + goto done; + } ret = sss_filter_sanitize(state, name, &clean_name); if (ret != EOK) { + talloc_zfree(req); return NULL; } @@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, } ret = sdap_get_initgr_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c index 0888c7e2f..f3a378f64 100644 --- a/src/providers/ldap/sdap_async_netgroups.c +++ b/src/providers/ldap/sdap_async_netgroups.c @@ -579,7 +579,17 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Netgroup lookup request without a netgroup search base\n")); + ret = EINVAL; + goto done; + } + + ret = sdap_get_netgroups_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_async_services.c b/src/providers/ldap/sdap_async_services.c index e4371f58e..f414040bc 100644 --- a/src/providers/ldap/sdap_async_services.c +++ b/src/providers/ldap/sdap_async_services.c @@ -104,7 +104,16 @@ sdap_get_services_send(TALLOC_CTX *memctx, state->search_bases = search_bases; state->enumeration = enumeration; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Services lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_services_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index ac856a642..011683219 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx, state->search_bases = search_bases; state->enumeration = enumeration; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("User lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_users_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index aed937f9f..30afcddfe 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -340,6 +340,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, state->ldap_rules = NULL; state->ldap_rules_count = 0; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("SUDOERS lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + /* create filter */ state->filter = sdap_sudo_build_filter(state, opts->sudorule_map, sudo_req); if (state->filter == NULL) { @@ -355,6 +362,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, /* begin search */ ret = sdap_sudo_load_sudoers_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); -- cgit