diff options
| author | Sumit Bose <sbose@redhat.com> | 2017-03-12 18:31:03 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-23 17:18:57 +0100 |
| commit | 70c0648f021ded3d31313eb962e1ad140f242673 (patch) | |
| tree | 387fd14af633f6cc6a8232178e40e031a1f93cb6 /src/db | |
| parent | 3994e8779d16db3e9fb30f03e5ecf5e811095ac2 (diff) | |
| download | sssd-70c0648f021ded3d31313eb962e1ad140f242673.tar.gz sssd-70c0648f021ded3d31313eb962e1ad140f242673.tar.xz sssd-70c0648f021ded3d31313eb962e1ad140f242673.zip | |
sdap_get_users_send(): new argument mapped_attrs
mapped_attrs can be a list of sysdb_attrs which are not available on
the server side but should be store with the cached user entry. This is
needed e.g. when the input to look up the user in LDAP is not an
attribute which is stored in LDAP but some data where LDAP attributes
are extracted from. The current use case is the certificate mapping
library which can create LDAP search filters based on content of the
certificate. To allow upcoming cache lookup to use the input directly it
is stored in the user object in the cache.
Related to https://pagure.io/SSSD/sssd/issue/3050
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/db')
| -rw-r--r-- | src/db/sysdb.h | 3 | ||||
| -rw-r--r-- | src/db/sysdb_ops.c | 61 |
2 files changed, 64 insertions, 0 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index c677957bb..098f47f91 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1246,6 +1246,9 @@ errno_t sysdb_search_user_by_cert(TALLOC_CTX *mem_ctx, errno_t sysdb_remove_cert(struct sss_domain_info *domain, const char *cert); +errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain, + struct sysdb_attrs *mapped_attr); + /* === Functions related to GPOs === */ #define SYSDB_GPO_CONTAINER "cn=gpos,cn=ad,cn=custom" diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 242d3ce3b..6c2254df2 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -4685,6 +4685,67 @@ errno_t sysdb_search_user_by_cert(TALLOC_CTX *mem_ctx, return sysdb_search_object_by_cert(mem_ctx, domain, cert, user_attrs, res); } +errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain, + struct sysdb_attrs *mapped_attr) +{ + int ret; + char *val; + char *filter; + const char *attrs[] = {SYSDB_NAME, NULL}; + struct ldb_result *res = NULL; + size_t c; + bool all_ok = true; + + if (mapped_attr->num != 1 || mapped_attr->a[0].num_values != 1) { + DEBUG(SSSDBG_OP_FAILURE, "Unsupported number of attributes.\n"); + return EINVAL; + } + + ret = bin_to_ldap_filter_value(NULL, mapped_attr->a[0].values[0].data, + mapped_attr->a[0].values[0].length, &val); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "bin_to_ldap_filter_value failed.\n"); + return ret; + } + + filter = talloc_asprintf(NULL, "(&("SYSDB_UC")(%s=%s))", + mapped_attr->a[0].name, val); + talloc_free(val); + if (filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + ret = sysdb_search_object_attr(NULL, domain, filter, attrs, false, &res); + talloc_free(filter); + if (ret == ENOENT || res == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Mapped data not found.\n"); + talloc_free(res); + return EOK; + } else if (ret != EOK) { + talloc_free(res); + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_object_attr failed.\n"); + return ret; + } + + for (c = 0; c < res->count; c++) { + DEBUG(SSSDBG_TRACE_ALL, "Removing mapped data from [%s].\n", + ldb_dn_get_linearized(res->msgs[c]->dn)); + /* The timestamp cache is skipped on purpose here. */ + ret = sysdb_set_cache_entry_attr(domain->sysdb->ldb, res->msgs[c]->dn, + mapped_attr, SYSDB_MOD_DEL); + if (ret != EOK) { + all_ok = false; + DEBUG(SSSDBG_OP_FAILURE, + "Failed to remove mapped data from [%s], skipping.\n", + ldb_dn_get_linearized(res->msgs[c]->dn)); + } + } + talloc_free(res); + + return (all_ok ? EOK : EIO); +} + errno_t sysdb_remove_cert(struct sss_domain_info *domain, const char *cert) { |