diff options
author | Petr Čech <pcech@redhat.com> | 2017-01-04 15:33:30 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-02-08 10:53:19 +0100 |
commit | 3ee411625aee19afda7477bb10b52c3da378b6fb (patch) | |
tree | 4b6cb8929642102fb074e0d702798412b8b5a905 /src/db | |
parent | c3593f06da54315c88a08a46cfc0def366acad43 (diff) | |
download | sssd-3ee411625aee19afda7477bb10b52c3da378b6fb.tar.gz sssd-3ee411625aee19afda7477bb10b52c3da378b6fb.tar.xz sssd-3ee411625aee19afda7477bb10b52c3da378b6fb.zip |
SYSDB: Removing of sysdb_try_to_find_expected_dn()
Currently in order to match multiple LDAP search results we
use two different functions - we have sysdb_try_to_find_expected_dn()
but also sdap_object_in_domain().
This patch removes sysdb_try_to_find_expected_dn() and add new
sdap_search_initgr_user_in_batch() based on sdap_object_in_domain().
This function covers necessary logic.
Resolves:
https://fedorahosted.org/sssd/ticket/3230
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/db')
-rw-r--r-- | src/db/sysdb.h | 6 | ||||
-rw-r--r-- | src/db/sysdb_subdomains.c | 332 |
2 files changed, 0 insertions, 338 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 8a363d090..809ca359a 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1309,10 +1309,4 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, struct sysdb_attrs *dest_attrs, const char *dest_name); -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *ldap_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr); #endif /* __SYS_DB_H__ */ diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 780140484..1f43bfc12 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1144,335 +1144,3 @@ done: talloc_free(tmp_ctx); return ret; } - -static errno_t match_cn_users(TALLOC_CTX *tmp_ctx, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - struct sysdb_attrs **_result) -{ - errno_t ret; - const char *orig_dn; - size_t dn_len; - struct sysdb_attrs *result = NULL; - const char *result_dn_str = NULL; - char *cn_users_basedn; - size_t cn_users_basedn_len; - - cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); - if (cn_users_basedn == NULL) { - ret = ENOMEM; - goto done; - } - cn_users_basedn_len = strlen(cn_users_basedn); - DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - - for (size_t c = 0; c < count; c++) { - ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); - goto done; - } - dn_len = strlen(orig_dn); - - if (dn_len > cn_users_basedn_len - && strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), - cn_users_basedn) == 0) { - DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); - if (result != NULL) { - DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); - ret = EINVAL; - goto done; - } - result = usr_attrs[c]; - result_dn_str = orig_dn; - } - } - - ret = EOK; -done: - *_result = result; - return ret; -} - -static errno_t match_non_dc_comp(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - struct sysdb_attrs **usr_attrs, - size_t count, - struct ldb_dn *ldb_basedn, - const char *basedn, - const char *domain_component_name, - struct sysdb_attrs **_result) -{ - errno_t ret; - const char *orig_dn; - size_t orig_dn_len; - size_t basedn_len; - struct ldb_context *ldb_ctx; - struct ldb_dn *ldb_orig_dn; - int dn_comp_num; - int basedn_comp_num; - const char *component_name; - struct sysdb_attrs *result = NULL; - const char *result_dn_str = NULL; - - ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); - if (ldb_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); - ret = EINVAL; - goto done; - } - - basedn_len = strlen(basedn); - - basedn_comp_num = ldb_dn_get_comp_num(ldb_basedn); - basedn_comp_num++; - - for (size_t c = 0; c < count; c++) { - ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); - goto done; - } - orig_dn_len = strlen(orig_dn); - - if (orig_dn_len > basedn_len - /* Does the user's original DN with the non-domain part - * stripped match the domain base DN? - */ - && strcasecmp(orig_dn + (orig_dn_len - basedn_len), - basedn) == 0) { - ldb_orig_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn); - if (ldb_orig_dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed"); - ret = ENOMEM; - goto done; - } - - dn_comp_num = ldb_dn_get_comp_num(ldb_orig_dn); - if (dn_comp_num > basedn_comp_num) { - component_name = ldb_dn_get_component_name(ldb_orig_dn, - (dn_comp_num - basedn_comp_num)); - DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n", - component_name, - domain_component_name); - /* If the component is NOT a DC component, then the entry - * must come from our domain, perhaps from a child container. - * If it matched the DC component, the entry was from a child - * subdomain different from this one. - */ - if (component_name != NULL - && strcasecmp(component_name, - domain_component_name) != 0) { - DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); - if (result != NULL) { - DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], " - "expecting only 1.\n", result_dn_str, orig_dn); - ret = EINVAL; - goto done; - } - result = usr_attrs[c]; - result_dn_str = orig_dn; - } - } - } - } - - ret = EOK; - *_result = result; -done: - return ret; -} - -static errno_t match_basedn(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - const char *domain_component_name, - struct sysdb_attrs **_result) -{ - struct ldb_context *ldb_ctx; - struct ldb_dn *ldb_dom_basedn; - - ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); - if (ldb_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); - return EINVAL; - } - - - ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn); - if (ldb_dom_basedn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); - return ENOMEM; - } - - return match_non_dc_comp(tmp_ctx, dom, - usr_attrs, count, - ldb_dom_basedn, dom_basedn, - domain_component_name, - _result); -} - -static errno_t match_search_base(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - const char *domain_component_name, - const char *domain_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **_result) -{ - errno_t ret; - bool ok; - const char *search_base; - struct ldb_context *ldb_ctx; - struct sysdb_attrs *result = NULL; - struct ldb_dn *ldb_search_base; - int search_base_comp_num; - int non_dc_comp_num; - const char *component_name; - - ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); - if (ldb_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); - ret = EINVAL; - goto done; - } - - ldb_search_base = ldb_dn_new(tmp_ctx, ldb_ctx, domain_search_base); - if (ldb_search_base == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); - ret = ENOMEM; - goto done; - } - - /* strip non-DC components from the search base */ - search_base_comp_num = ldb_dn_get_comp_num(ldb_search_base); - for (non_dc_comp_num = 0; - non_dc_comp_num < search_base_comp_num; - non_dc_comp_num++) { - - component_name = ldb_dn_get_component_name(ldb_search_base, - non_dc_comp_num); - if (strcasecmp(domain_component_name, component_name) == 0) { - break; - } - } - - if (non_dc_comp_num == search_base_comp_num) { - /* The search base does not have any non-DC components, the search wouldn't - * match anyway - */ - ret = EOK; - *_result = NULL; - goto done; - } - - ok = ldb_dn_remove_child_components(ldb_search_base, non_dc_comp_num); - if (!ok) { - ret = EINVAL; - goto done; - } - - search_base = ldb_dn_get_linearized(ldb_search_base); - if (search_base == NULL) { - ret = ENOMEM; - goto done; - } - - ret = match_cn_users(tmp_ctx, usr_attrs, count, search_base, &result); - if (ret != EOK) { - goto done; - } - - if (result == NULL) { - ret = match_non_dc_comp(tmp_ctx, dom, - usr_attrs, count, - ldb_search_base, search_base, - domain_component_name, - &result); - if (ret != EOK) { - goto done; - } - } - - ret = EOK; - *_result = result; -done: - return ret; -} - -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - const char *domain_search_base, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr) -{ - char *dom_basedn; - int ret; - TALLOC_CTX *tmp_ctx; - struct sysdb_attrs *result = NULL; - - if (dom == NULL || domain_component_name == NULL - || domain_search_base == NULL - || usr_attrs == NULL || count == 0) { - return EINVAL; - } - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); - return ENOMEM; - } - - ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); - ret = EINVAL; - goto done; - } - - ret = match_cn_users(tmp_ctx, usr_attrs, count, dom_basedn, &result); - if (ret != EOK) { - goto done; - } - - if (result == NULL) { - ret = match_basedn(tmp_ctx, dom, usr_attrs, - count, dom_basedn, domain_component_name, - &result); - if (ret != EOK) { - goto done; - } - } - - if (result == NULL) { - ret = match_search_base(tmp_ctx, dom, domain_component_name, - domain_search_base, usr_attrs, count, - &result); - if (ret != EOK) { - goto done; - } - } - - if (result == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n"); - ret = ENOENT; - goto done; - } - - *exp_usr = result; - - ret = EOK; -done: - talloc_free(tmp_ctx); - - return ret; -} |