sssd2.git/src/db/sysdb.h, branch sssd-1-9 System Security Services Daemon [okos' clone] sysdb: try dealing with binary-content attributes 2013-02-26T16:18:04+00:00 Jan Engelhardt jengelh@inai.de 2013-02-21T12:12:25+00:00 6072f51a6c91f580c6582c527a08acbe51824d6a https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem. 
https://fedorahosted.org/sssd/ticket/1818

I have here a LDAP user entry which has this attribute

	loginAllowedTimeMap::
	 AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA

In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)

Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.

The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.
SYSDB: make the sss_ldb_modify_permissive function public 2013-01-23T16:34:06+00:00 Jakub Hrozek jhrozek@redhat.com 2013-01-23T16:17:38+00:00 9e48d08b30e6b273fe4437e11851fdc634ce5cc3 






SYSDB: Remove duplicate selinux defines
2013-01-08T19:15:55+00:00

Jakub Hrozek
jhrozek@redhat.com

2013-01-06T16:34:46+00:00

9670c7d96b003fb9027f7e82d289a433f9894abd












LDAP: Only convert direct parents' ghost attribute to member
2012-11-20T17:04:22+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-11-17T22:55:13+00:00

b22f24ead56e401c37750ecd34a5e99506d17058

https://fedorahosted.org/sssd/ticket/1612

This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.

As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.

The original member attributes are only saved if the LDAP schema
supports nesting.





https://fedorahosted.org/sssd/ticket/1612

This patch changes the handling of ghost attributes when saving the
actual user entry. Instead of always linking all groups that contained
the ghost attribute with the new user entry, the original member
attributes are now saved in the group object and the user entry is only
linked with its direct parents.

As the member attribute is compared against the originalDN of the user,
if either the originalDN or the originalMember attributes are missing,
the user object is linked with all the groups as a fallback.

The original member attributes are only saved if the LDAP schema
supports nesting.







Refactor the way subdomain accounts are saved
2012-11-19T14:14:23+00:00

Simo Sorce
simo@redhat.com

2012-11-16T20:25:42+00:00

2f5fbac58e075a2e4de1ff1ba92d8cb1fbb1d7b0

The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.

One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.

In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.





The original sysdb code had a strong assumption that only users from one
domain are saved in the databse, with the subdomain feature, we have
changed reality, but have not adjusted all the code arund the sysdb calls
to not rely on the original assumption.

One of the side effects of this incongrunece is that currently group
memberships do not return fully qualified names for subdomain users as they
should.

In oreder to fix this and other potential issues surrounding the violation
of the original assumption, we need to fully qualify subdomain user names.
By savin them fully qualified we do not risk aliasing local users and have
group memberhips or other name based matching code mistake a domain user
with subdomain usr or vice versa.







Display more information on DB version crash
2012-11-19T12:39:52+00:00

Ondrej Kos
okos@redhat.com

2012-11-08T13:34:36+00:00

3e454b5de596f2e4d1b4d9df4cc33aeec7a5af5f

https://fedorahosted.org/sssd/ticket/1589

Added check for determining, whether database version is higher or
lower than expected. To distinguish it from other errors it uses
following retun values (further used for appropriate error message):
EMEDIUMTYPE for lower version than expected
EUCLEAN for higher version than expected

When SSSD or one of it's tools fails on DB version mismatch, new error
message is showed suggesting how to proceed.





https://fedorahosted.org/sssd/ticket/1589

Added check for determining, whether database version is higher or
lower than expected. To distinguish it from other errors it uses
following retun values (further used for appropriate error message):
EMEDIUMTYPE for lower version than expected
EUCLEAN for higher version than expected

When SSSD or one of it's tools fails on DB version mismatch, new error
message is showed suggesting how to proceed.







Add pac_user_get_grp_info() to read current group memberships
2012-11-11T02:45:28+00:00

Sumit Bose
sbose@redhat.com

2012-11-07T10:53:13+00:00

1b9ac1b1fc75312938f39b625d5fa530d781ddd7

To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.

Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes





To be able to efficiently store group memberships we need to know the
current memberships of a user. sysdb_initgroups() is used to read the
user entry together with all groups the user is a member of. Some of the
group attributes are kept to avoid additional lookups and speed up
further processing.

Currently sysdb_initgroups() does not return the original DN of the
group. Since it is needed to remove memberships later on it is added to
the list of requested attributes







sysdb: add sysdb_base_dn()
2012-10-26T16:10:23+00:00

Sumit Bose
sbose@redhat.com

2012-10-18T15:40:48+00:00

aab727b90b43600b750957177845d993196b96e9

Add a help function which returns the ldb_dn object for the base dn of
the cache.





Add a help function which returns the ldb_dn object for the base dn of
the cache.







DB: Use TALLOC_CTX for talloc context
2012-09-24T16:23:15+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-09-21T22:07:55+00:00

edd6630a969fcd6ee2f4e69ebf7576926f040e48

A couple of sysdb functions used "void *" in place of a TALLOC_CTX.





A couple of sysdb functions used "void *" in place of a TALLOC_CTX.







SYSDB: Remove unnecessary domain parameter from several sysdb calls
2012-09-24T16:23:15+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-09-21T21:41:42+00:00

95f5e7963a36b7b68859ce91ae4b232088bbaa09

The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.





The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained.