LDAP: save non-POSIX users in application domains

Related to: https://pagure.io/SSSD/sssd/issue/3310 If a user being saved by the LDAP provider does not have a UID or GID and the domain type is application, we save the user entry as non-POSIX. Reviewed-by: Sumit Bose <sbose@redhat.com>
author: Jakub Hrozek <jhrozek@redhat.com> 2017-03-22 13:06:08 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-03-30 14:10:06 +0200
commit: ed0cdfcacc44e4e13e1524e254efa744610a87c2 (patch)
tree: 7fca7e6fce44a7d6607c6c30eb70dd3870f52cfa
parent: 901396366075dc3e3fcc0894345af1b51052ac69 (diff)
download: sssd-ed0cdfcacc44e4e13e1524e254efa744610a87c2.tar.gz
sssd-ed0cdfcacc44e4e13e1524e254efa744610a87c2.tar.xz
sssd-ed0cdfcacc44e4e13e1524e254efa744610a87c2.zip
1 files changed, 57 insertions, 15 deletions
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 3d957ab58..265cd7e4f 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -112,6 +112,28 @@ done:
     return ret;
 }
 
+static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,
+                                       const char *pkey)
+{
+    errno_t ret;
+
+    ret = sysdb_attrs_add_uint32(attrs, pkey, 0);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Failed to add a zero ID to a non-posix object!\n");
+        return ret;
+    }
+
+    ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, false);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Error: Failed to mark objects as non-posix!\n");
+        return ret;
+    }
+
+    return EOK;
+}
+
 /* FIXME: support storing additional attributes */
 int sdap_save_user(TALLOC_CTX *memctx,
                    struct sdap_options *opts,
@@ -130,8 +152,8 @@ int sdap_save_user(TALLOC_CTX *memctx,
     const char *homedir;
     const char *shell;
     const char *orig_dn = NULL;
-    uid_t uid;
-    gid_t gid;
+    uid_t uid = 0;
+    gid_t gid = 0;
     struct sysdb_attrs *user_attrs;
     char *upn = NULL;
     size_t i;
@@ -146,6 +168,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
     size_t c;
     char *p1;
     char *p2;
+    bool is_posix = true;
 
     DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");
 
@@ -295,19 +318,29 @@ int sdap_save_user(TALLOC_CTX *memctx,
         ret = sysdb_attrs_get_uint32_t(attrs,
                                        opts->user_map[SDAP_AT_USER_UID].sys_name,
                                        &uid);
-        if (ret != EOK) {
+        if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) {
+            DEBUG(SSSDBG_TRACE_INTERNAL,
+                  "Marking object as non-posix and setting ID=0!\n");
+            ret = sdap_set_non_posix_flag(user_attrs,
+                    opts->user_map[SDAP_AT_USER_UID].sys_name);
+            if (ret != EOK) {
+                goto done;
+            }
+            is_posix = false;
+        } else if (ret != EOK) {
             DEBUG(SSSDBG_CRIT_FAILURE,
-                  "no uid provided for [%s] in domain [%s].\n",
+                  "Cannot retrieve UID for [%s] in domain [%s].\n",
                    user_name, dom->name);
-            ret = EINVAL;
+            ret = ERR_NO_POSIX;
             goto done;
         }
     }
-    /* check that the uid is valid for this domain */
-    if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
-            DEBUG(SSSDBG_OP_FAILURE,
-                  "User [%s] filtered out! (uid out of range)\n",
-                      user_name);
+
+    /* check that the uid is valid for this domain if the user is a POSIX one */
+    if (is_posix == true && OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "User [%s] filtered out! (uid out of range)\n",
+              user_name);
         ret = EINVAL;
         goto done;
     }
@@ -349,17 +382,26 @@ int sdap_save_user(TALLOC_CTX *memctx,
         ret = sysdb_attrs_get_uint32_t(attrs,
                                        opts->user_map[SDAP_AT_USER_GID].sys_name,
                                        &gid);
-        if (ret != EOK) {
+        if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) {
+            DEBUG(SSSDBG_TRACE_INTERNAL,
+                  "Marking object as non-posix and setting ID=0!\n");
+            ret = sdap_set_non_posix_flag(attrs,
+                    opts->user_map[SDAP_AT_USER_GID].sys_name);
+            if (ret != EOK) {
+                goto done;
+            }
+            is_posix = false;
+        } else if (ret != EOK) {
             DEBUG(SSSDBG_CRIT_FAILURE,
-                  "no gid provided for [%s] in domain [%s].\n",
-                  user_name, dom->name);
-            ret = EINVAL;
+                  "Cannot retrieve GID for [%s] in domain [%s].\n",
+                   user_name, dom->name);
+            ret = ERR_NO_POSIX;
             goto done;
         }
     }
 
     /* check that the gid is valid for this domain */
-    if (IS_SUBDOMAIN(dom) == false &&
+    if (is_posix == true && IS_SUBDOMAIN(dom) == false &&
             OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "User [%s] filtered out! (primary gid out of range)\n",
author	Jakub Hrozek <jhrozek@redhat.com>	2017-03-22 13:06:08 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-03-30 14:10:06 +0200
commit	ed0cdfcacc44e4e13e1524e254efa744610a87c2 (patch)
tree	7fca7e6fce44a7d6607c6c30eb70dd3870f52cfa
parent	901396366075dc3e3fcc0894345af1b51052ac69 (diff)
download	sssd-ed0cdfcacc44e4e13e1524e254efa744610a87c2.tar.gz sssd-ed0cdfcacc44e4e13e1524e254efa744610a87c2.tar.xz sssd-ed0cdfcacc44e4e13e1524e254efa744610a87c2.zip