summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2011-09-21 10:39:06 +0200
committerStephen Gallagher <sgallagh@redhat.com>2011-10-06 11:08:25 -0400
commitbcec4a854de207a4f399d14f936a21edc5575683 (patch)
treeb35506c7abd26d7b5e8306e44ed50960713318fc
parentd7c7edcf4c7014dff3f84b5b56dbd4453cf608aa (diff)
downloadsssd_unused-bcec4a854de207a4f399d14f936a21edc5575683.tar.gz
sssd_unused-bcec4a854de207a4f399d14f936a21edc5575683.tar.xz
sssd_unused-bcec4a854de207a4f399d14f936a21edc5575683.zip
Better handling for aliases
Add sysdb interface to get name aliases Add a sysdb_get_direct_parents function Store name aliases for users, groups Return users and groups based on alias https://fedorahosted.org/sssd/ticket/926 Fix typo in sysdb_get_direct_parents
-rw-r--r--src/db/sysdb.c60
-rw-r--r--src/db/sysdb.h18
-rw-r--r--src/db/sysdb_search.c108
-rw-r--r--src/providers/ldap/sdap_async.c89
-rw-r--r--src/providers/ldap/sdap_async.h7
-rw-r--r--src/providers/ldap/sdap_async_accounts.c223
-rw-r--r--src/responder/pam/pam_LOCAL_domain.c5
7 files changed, 407 insertions, 103 deletions
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 42a4240f..a1c16318 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -2131,7 +2131,7 @@ errno_t sysdb_attrs_primary_name(struct sysdb_ctx *sysdb,
if (strcasecmp(rdn_attr, ldap_attr) != 0) {
/* Multiple entries, and the RDN attribute doesn't match.
* We have no way of resolving this deterministically,
- * so we'll punt.
+ * so we'll use the first value as a fallback.
*/
DEBUG(3, ("The entry has multiple names and the RDN attribute does "
"not match. Will use the first value as fallback.\n"));
@@ -2171,6 +2171,64 @@ done:
return ret;
}
+/*
+ * An entity with multiple names would have multiple SYSDB_NAME attributes
+ * after being translated into sysdb names using a map.
+ * Given a primary name returned by sysdb_attrs_primary_name(), this function
+ * returns the other SYSDB_NAME attribute values so they can be saved as
+ * SYSDB_NAME_ALIAS into cache.
+ */
+errno_t sysdb_attrs_get_aliases(TALLOC_CTX *mem_ctx,
+ struct sysdb_attrs *attrs,
+ const char *primary,
+ const char ***_aliases)
+{
+ TALLOC_CTX *tmp_ctx = NULL;
+ struct ldb_message_element *sysdb_name_el;
+ size_t i, ai;
+ errno_t ret;
+ const char **aliases = NULL;
+ const char *name;
+
+ if (_aliases == NULL) return EINVAL;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return ENOMEM;
+ }
+
+ ret = sysdb_attrs_get_el(attrs,
+ SYSDB_NAME,
+ &sysdb_name_el);
+ if (sysdb_name_el->num_values == 0) {
+ ret = EINVAL;
+ goto done;
+ }
+
+ aliases = talloc_array(tmp_ctx, const char *,
+ sysdb_name_el->num_values);
+ if (!aliases) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ai = 0;
+ for (i=0; i < sysdb_name_el->num_values; i++) {
+ name = (const char *)sysdb_name_el->values[i].data;
+ if (strcmp(primary, name) != 0) {
+ aliases[ai] = name;
+ ai++;
+ }
+ }
+
+ aliases[ai] = NULL;
+ ret = EOK;
+done:
+ *_aliases = talloc_steal(mem_ctx, aliases);
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
errno_t sysdb_attrs_primary_name_list(struct sysdb_ctx *sysdb,
TALLOC_CTX *mem_ctx,
struct sysdb_attrs **attr_list,
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 68d3021e..7f2e41f9 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -46,6 +46,7 @@
#define SYSDB_NETGROUP_CLASS "netgroup"
#define SYSDB_NAME "name"
+#define SYSDB_NAME_ALIAS "nameAlias"
#define SYSDB_OBJECTCLASS "objectClass"
#define SYSDB_NEXTID "nextID"
@@ -106,15 +107,15 @@
#define SYSDB_NC "objectclass="SYSDB_NETGROUP_CLASS
#define SYSDB_MPGC "|("SYSDB_UC")("SYSDB_GC")"
-#define SYSDB_PWNAM_FILTER "(&("SYSDB_UC")("SYSDB_NAME"=%s))"
+#define SYSDB_PWNAM_FILTER "(&("SYSDB_UC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
#define SYSDB_PWUID_FILTER "(&("SYSDB_UC")("SYSDB_UIDNUM"=%lu))"
#define SYSDB_PWENT_FILTER "("SYSDB_UC")"
-#define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")("SYSDB_NAME"=%s))"
+#define SYSDB_GRNAM_FILTER "(&("SYSDB_GC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
#define SYSDB_GRNA2_FILTER "(&("SYSDB_UC")("SYSDB_MEMBEROF"=%s))"
#define SYSDB_GRGID_FILTER "(&("SYSDB_GC")("SYSDB_GIDNUM"=%lu))"
#define SYSDB_GRENT_FILTER "("SYSDB_GC")"
-#define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_NAME"=%s))"
+#define SYSDB_GRNAM_MPG_FILTER "(&("SYSDB_MPGC")(|("SYSDB_NAME_ALIAS"=%s)("SYSDB_NAME"=%s)))"
#define SYSDB_GRGID_MPG_FILTER "(&("SYSDB_MPGC")("SYSDB_GIDNUM"=%lu))"
#define SYSDB_GRENT_MPG_FILTER "("SYSDB_MPGC")"
@@ -222,6 +223,10 @@ errno_t sysdb_attrs_primary_name(struct sysdb_ctx *sysdb,
struct sysdb_attrs *attrs,
const char *ldap_attr,
const char **_primary);
+errno_t sysdb_attrs_get_aliases(TALLOC_CTX *mem_ctx,
+ struct sysdb_attrs *attrs,
+ const char *primary,
+ const char ***_aliases);
errno_t sysdb_attrs_primary_name_list(struct sysdb_ctx *sysdb,
TALLOC_CTX *mem_ctx,
struct sysdb_attrs **attr_list,
@@ -735,4 +740,11 @@ errno_t sysdb_remove_attrs(struct sysdb_ctx *sysdb,
enum sysdb_member_type type,
char **remove_attrs);
+errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *dom,
+ enum sysdb_member_type mtype,
+ const char *name,
+ char ***_direct_parents);
+
#endif /* __SYS_DB_H__ */
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index dfae4ddf..9c386cae 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -63,7 +63,7 @@ int sysdb_getpwnam(TALLOC_CTX *mem_ctx,
ret = ldb_search(ctx->ldb, tmpctx, &res, base_dn,
LDB_SCOPE_SUBTREE, attrs, SYSDB_PWNAM_FILTER,
- sanitized_name);
+ sanitized_name, sanitized_name);
if (ret) {
ret = sysdb_error_to_errno(ret);
goto done;
@@ -248,7 +248,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
ret = ldb_search(ctx->ldb, tmpctx, &res, base_dn,
LDB_SCOPE_SUBTREE, attrs, fmt_filter,
- sanitized_name);
+ sanitized_name, sanitized_name);
if (ret) {
ret = sysdb_error_to_errno(ret);
goto done;
@@ -512,7 +512,8 @@ int sysdb_get_user_attr(TALLOC_CTX *mem_ctx,
ret = ldb_search(ctx->ldb, tmpctx, &res, base_dn,
LDB_SCOPE_SUBTREE, attributes,
- SYSDB_PWNAM_FILTER, sanitized_name);
+ SYSDB_PWNAM_FILTER, sanitized_name,
+ sanitized_name);
if (ret) {
ret = sysdb_error_to_errno(ret);
goto done;
@@ -888,3 +889,104 @@ done:
talloc_zfree(tmpctx);
return ret;
}
+
+errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx,
+ struct sysdb_ctx *sysdb,
+ struct sss_domain_info *dom,
+ enum sysdb_member_type mtype,
+ const char *name,
+ char ***_direct_parents)
+{
+ errno_t ret;
+ const char *dn;
+ struct ldb_dn *basedn;
+ static const char *group_attrs[] = { SYSDB_NAME, NULL };
+ const char *member_filter;
+ size_t direct_sysdb_count = 0;
+ struct ldb_message **direct_sysdb_groups = NULL;
+ char **direct_parents = NULL;
+ TALLOC_CTX *tmp_ctx = NULL;
+ int i, pi;
+ const char *tmp_str;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ if (mtype == SYSDB_MEMBER_USER) {
+ dn = sysdb_user_strdn(tmp_ctx, dom->name, name);
+ } else if (mtype == SYSDB_MEMBER_GROUP) {
+ dn = sysdb_group_strdn(tmp_ctx, dom->name, name);
+ } else {
+ DEBUG(1, ("Unknown member type\n"));
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (!dn) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ member_filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%s))",
+ SYSDB_OBJECTCLASS, SYSDB_GROUP_CLASS,
+ SYSDB_MEMBER, dn);
+ if (!member_filter) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(sysdb),
+ SYSDB_TMPL_GROUP_BASE, dom->name);
+ if (!basedn) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ DEBUG(8, ("searching sysdb with filter [%s]\n", member_filter));
+
+ ret = sysdb_search_entry(tmp_ctx, sysdb, basedn,
+ LDB_SCOPE_SUBTREE, member_filter, group_attrs,
+ &direct_sysdb_count, &direct_sysdb_groups);
+ if (ret == ENOENT) {
+ direct_sysdb_count = 0;
+ } else if (ret != EOK && ret != ENOENT) {
+ DEBUG(2, ("sysdb_search_entry failed: [%d]: %s\n",
+ ret, strerror(ret)));
+ goto done;
+ }
+
+ /* EOK */
+ /* Get the list of sysdb groups by name */
+ direct_parents = talloc_array(tmp_ctx, char *, direct_sysdb_count+1);
+ if (!direct_parents) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ pi = 0;
+ for(i = 0; i < direct_sysdb_count; i++) {
+ tmp_str = ldb_msg_find_attr_as_string(direct_sysdb_groups[i],
+ SYSDB_NAME, NULL);
+ if (!tmp_str) {
+ /* This should never happen, but if it does, just continue */
+ continue;
+ }
+
+ direct_parents[pi] = talloc_strdup(direct_parents, tmp_str);
+ if (!direct_parents[pi]) {
+ DEBUG(1, ("A group with no name?\n"));
+ ret = EIO;
+ goto done;
+ }
+ pi++;
+ }
+ direct_parents[pi] = NULL;
+
+ DEBUG(7, ("%s is a member of %d sysdb groups\n",
+ name, direct_sysdb_count));
+ *_direct_parents = talloc_steal(mem_ctx, direct_parents);
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 0192f08a..46760b51 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1073,3 +1073,92 @@ int sdap_get_generic_recv(struct tevent_req *req,
return EOK;
}
+errno_t sdap_check_aliases(struct sysdb_ctx *sysdb,
+ struct sysdb_attrs *user_attrs,
+ struct sss_domain_info *dom,
+ struct sdap_options *opts,
+ bool steal_memberships)
+{
+ errno_t ret;
+ const char **aliases = NULL;
+ const char *name = NULL;
+ struct ldb_message *msg;
+ TALLOC_CTX *tmp_ctx = NULL;
+ char **parents;
+ uid_t alias_uid;
+ int i;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ ret = sysdb_attrs_primary_name(sysdb, user_attrs,
+ opts->user_map[SDAP_AT_USER_NAME].name,
+ &name);
+ if (ret != EOK) {
+ DEBUG(1, ("Could not get the primary name\n"));
+ goto done;
+ }
+
+ ret = sysdb_attrs_get_aliases(tmp_ctx, user_attrs, name, &aliases);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to get the alias list\n"));
+ goto done;
+ }
+
+ for (i = 0; aliases[i]; i++) {
+ /* In RFC2307 schema, another group might be referencing user
+ * using secondary name, so there might be fake users in the cache
+ * from a previous getgr call */
+ ret = sysdb_search_user_by_name(tmp_ctx, sysdb, dom,
+ aliases[i], NULL, &msg);
+ if (ret && ret != ENOENT) {
+ DEBUG(1, ("Error searching the cache\n"));
+ goto done;
+ } else if (ret == ENOENT) {
+ DEBUG(9, ("No user with primary name same as alias %s\n", aliases[i]));
+ continue;
+ }
+
+ alias_uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
+ if (alias_uid) {
+ DEBUG(1, ("Cache contains non-fake user with same name "
+ "as alias %s\n", aliases[i]));
+ ret = EIO;
+ goto done;
+ }
+ DEBUG(7, ("%s is a fake user\n", aliases[i]));
+
+ if (steal_memberships) {
+ /* Get direct sysdb parents */
+ ret = sysdb_get_direct_parents(tmp_ctx, sysdb, dom,
+ SYSDB_MEMBER_USER,
+ aliases[i], &parents);
+ if (ret) {
+ DEBUG(1, ("Could not get direct parents for %s: %d [%s]\n",
+ aliases[i], ret, strerror(ret)));
+ goto done;
+ }
+
+ ret = sysdb_update_members(sysdb, dom, name, SYSDB_MEMBER_USER,
+ (const char *const *) parents,
+ NULL);
+ if (ret != EOK) {
+ DEBUG(1, ("Membership update failed [%d]: %s\n",
+ ret, strerror(ret)));
+ goto done;
+ }
+ }
+
+ ret = sysdb_delete_user(tmp_ctx, sysdb, dom, aliases[i], alias_uid);
+ if (ret) {
+ DEBUG(1, ("Error deleting fake user %s\n", aliases[i]));
+ goto done;
+ }
+ }
+
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 84a23be9..346940b0 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -151,4 +151,11 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
int sdap_get_generic_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx, size_t *reply_count,
struct sysdb_attrs ***reply_list);
+
+errno_t sdap_check_aliases(struct sysdb_ctx *sysdb,
+ struct sysdb_attrs *user_attrs,
+ struct sss_domain_info *dom,
+ struct sdap_options *opts,
+ bool steal_memberships);
+
#endif /* _SDAP_ASYNC_H_ */
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
index 397b1c7d..0ef5b40b 100644
--- a/src/providers/ldap/sdap_async_accounts.c
+++ b/src/providers/ldap/sdap_async_accounts.c
@@ -55,6 +55,7 @@ static int sdap_save_user(TALLOC_CTX *memctx,
char *usn_value = NULL;
size_t c;
char **missing = NULL;
+ const char **aliases = NULL;
TALLOC_CTX *tmpctx = NULL;
DEBUG(9, ("Save user\n"));
@@ -281,6 +282,20 @@ static int sdap_save_user(TALLOC_CTX *memctx,
}
}
+ ret = sysdb_attrs_get_aliases(tmpctx, attrs, name, &aliases);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to get the alias list"));
+ goto fail;
+ }
+
+ for (i = 0; aliases[i]; i++) {
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_NAME_ALIAS,
+ aliases[i]);
+ if (ret) {
+ goto fail;
+ }
+ }
+
/* Make sure that any attributes we requested from LDAP that we
* did not receive are also removed from the sysdb
*/
@@ -366,6 +381,12 @@ static int sdap_save_users(TALLOC_CTX *memctx,
DEBUG(9, ("User %d processed!\n", i));
}
+ ret = sdap_check_aliases(sysdb, users[i], dom,
+ opts, true);
+ if (ret) {
+ DEBUG(2, ("Failed to check aliases for user %d. Ignoring.\n", i));
+ }
+
if (usn_value) {
if (higher_usn) {
if ((strlen(usn_value) > strlen(higher_usn)) ||
@@ -710,9 +731,11 @@ static int sdap_save_group(TALLOC_CTX *memctx,
const char *name = NULL;
gid_t gid;
int ret;
+ int i;
char *usn_value = NULL;
TALLOC_CTX *tmpctx = NULL;
bool posix_group;
+ const char **aliases = NULL;
tmpctx = talloc_new(memctx);
if (!tmpctx) {
@@ -855,6 +878,20 @@ static int sdap_save_group(TALLOC_CTX *memctx,
}
}
+ ret = sysdb_attrs_get_aliases(tmpctx, attrs, name, &aliases);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to get the alias list\n"));
+ goto fail;
+ }
+
+ for (i = 0; aliases[i]; i++) {
+ ret = sysdb_attrs_add_string(group_attrs, SYSDB_NAME_ALIAS,
+ aliases[i]);
+ if (ret) {
+ goto fail;
+ }
+ }
+
DEBUG(6, ("Storing info for group %s\n", name));
ret = sdap_store_group_with_gid(group_attrs, ctx, dom,
@@ -1211,6 +1248,10 @@ sdap_process_missing_member_2307bis(struct tevent_req *req,
int num_users);
static int
+sdap_add_group_member_2307(struct sdap_process_group_state *state,
+ const char *username);
+
+static int
sdap_process_group_members_2307bis(struct tevent_req *req,
struct sdap_process_group_state *state,
struct ldb_message_element *memberel)
@@ -1304,7 +1345,6 @@ sdap_process_group_members_2307(struct sdap_process_group_state *state,
struct ldb_message *msg;
bool in_transaction = false;
char *member_name;
- char *strdn;
int ret;
errno_t sret;
int i;
@@ -1319,23 +1359,17 @@ sdap_process_group_members_2307(struct sdap_process_group_state *state,
state->dom, member_name,
NULL, &msg);
if (ret == EOK) {
- strdn = sysdb_user_strdn(state->sysdb_dns->values,
- state->dom->name,
- member_name);
- if (!strdn) {
- ret = ENOMEM;
+ /*
+ * User already cached in sysdb. Remember the sysdb DN for later
+ * use by sdap_save_groups()
+ */
+ DEBUG(7, ("Member already cached in sysdb: %s\n", member_name));
+
+ ret = sdap_add_group_member_2307(state, member_name);
+ if (ret != EOK) {
+ DEBUG(1, ("Could not add member %s into sysdb\n", member_name));
goto done;
}
- /*
- * User already cached in sysdb. Remember the sysdb DN for later
- * use by sdap_save_groups()
- */
- DEBUG(7,("Member already cached in sysdb: %s\n", strdn));
- state->sysdb_dns->values[state->sysdb_dns->num_values].data =
- (uint8_t *) strdn;
- state->sysdb_dns->values[state->sysdb_dns->num_values].length =
- strlen(strdn);
- state->sysdb_dns->num_values++;
} else if (ret == ENOENT) {
/* The user is not in sysdb, need to add it */
DEBUG(7, ("member #%d (%s): not found in sysdb\n",
@@ -1436,17 +1470,73 @@ sdap_process_missing_member_2307bis(struct tevent_req *req,
}
static int
+sdap_add_group_member_2307(struct sdap_process_group_state *state,
+ const char *username)
+{
+ char *strdn;
+
+ strdn = sysdb_user_strdn(state->sysdb_dns->values,
+ state->dom->name, username);
+ if (!strdn) {
+ return ENOMEM;
+ }
+
+ state->sysdb_dns->values[state->sysdb_dns->num_values].data =
+ (uint8_t *) strdn;
+ state->sysdb_dns->values[state->sysdb_dns->num_values].length =
+ strlen(strdn);
+ state->sysdb_dns->num_values++;
+
+ return EOK;
+}
+
+static int
sdap_process_missing_member_2307(struct sdap_process_group_state *state,
- char *username, bool *in_transaction)
+ char *member_name, bool *in_transaction)
{
int ret, sret;
- struct ldb_dn *dn;
- char* dn_string;
-
- DEBUG(7, ("Adding a dummy entry\n"));
+ TALLOC_CTX *tmp_ctx;
+ const char *filter;
+ const char *username;
+ size_t count;
+ struct ldb_message **msgs = NULL;
+ static const char *attrs[] = { SYSDB_NAME, NULL };
if (!in_transaction) return EINVAL;
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ /* Check for the alias in the sysdb */
+ filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_NAME_ALIAS, member_name);
+ if (!filter) {
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ ret = sysdb_search_users(tmp_ctx, state->sysdb, state->dom,
+ filter, attrs, &count, &msgs);
+ if (ret == EOK && count > 0) {
+ /* Entry exists but the group references it with an alias. */
+
+ if (count != 1) {
+ DEBUG(1, ("More than one entry with this alias?\n"));
+ ret = EIO;
+ goto fail;
+ }
+
+ /* fill username with primary name */
+ username = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL);
+ goto done;
+ } else if (ret != EOK && ret != ENOENT) {
+ ret = EIO;
+ goto fail;
+ }
+
+ username = member_name;
+ /* The entry really does not exist, add a fake entry */
+ DEBUG(7, ("Adding a dummy entry\n"));
+
if (!*in_transaction) {
ret = sysdb_transaction_start(state->sysdb);
if (ret != EOK) {
@@ -1468,27 +1558,17 @@ sdap_process_missing_member_2307(struct sdap_process_group_state *state,
* Convert the just received DN into the corresponding sysdb DN
* for saving into member attribute of the group
*/
- dn = sysdb_user_dn(state->sysdb, state, state->dom->name,
- (char*) username);
- if (!dn) {
- ret = ENOMEM;
- goto fail;
- }
-
- dn_string = ldb_dn_alloc_linearized(state->sysdb_dns->values, dn);
- if (!dn_string) {
- ret = ENOMEM;
+done:
+ ret = sdap_add_group_member_2307(state, username);
+ if (ret != EOK) {
+ DEBUG(1, ("Could not add group member %s\n", username));
goto fail;
}
- state->sysdb_dns->values[state->sysdb_dns->num_values].data =
- (uint8_t *) dn_string;
- state->sysdb_dns->values[state->sysdb_dns->num_values].length =
- strlen(dn_string);
- state->sysdb_dns->num_values++;
-
+ talloc_free(tmp_ctx);
return EOK;
fail:
+ talloc_free(tmp_ctx);
if (*in_transaction) {
sret = sysdb_transaction_cancel(state->sysdb);
if (sret == EOK) {
@@ -2702,20 +2782,13 @@ static int sdap_initgr_nested_store_group(struct sysdb_ctx *sysdb,
int ngroups)
{
TALLOC_CTX *tmp_ctx;
- const char *member_filter;
const char *group_orig_dn;
const char *group_name;
- const char *group_dn;
int ret;
- int i;
- struct ldb_message **direct_sysdb_groups = NULL;
- size_t direct_sysdb_count = 0;
- static const char *group_attrs[] = { SYSDB_NAME, NULL };
struct ldb_dn *basedn;
int ndirect;
struct sysdb_attrs **direct_groups;
char **sysdb_grouplist = NULL;
- const char *tmp_str;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
@@ -2741,58 +2814,13 @@ static int sdap_initgr_nested_store_group(struct sysdb_ctx *sysdb,
}
/* Get direct sysdb parents */
- group_dn = sysdb_group_strdn(tmp_ctx, dom->name, group_name);
- if (!group_dn) {
- ret = ENOMEM;
- goto done;
- }
-
- member_filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(%s=%s))",
- SYSDB_OBJECTCLASS, SYSDB_GROUP_CLASS,
- SYSDB_MEMBER, group_dn);
- if (!member_filter) {
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(8, ("searching sysdb with filter %s\n", member_filter));
-
- ret = sysdb_search_entry(tmp_ctx, sysdb, basedn,
- LDB_SCOPE_SUBTREE, member_filter, group_attrs,
- &direct_sysdb_count, &direct_sysdb_groups);
- if (ret == EOK) {
- /* Get the list of sysdb groups by name */
- sysdb_grouplist = talloc_array(tmp_ctx, char *, direct_sysdb_count+1);
- if (!sysdb_grouplist) {
- ret = ENOMEM;
- goto done;
- }
-
- for(i = 0; i < direct_sysdb_count; i++) {
- tmp_str = ldb_msg_find_attr_as_string(direct_sysdb_groups[i],
- SYSDB_NAME, NULL);
- if (!tmp_str) {
- /* This should never happen, but if it does, just continue */
- continue;
- }
-
- sysdb_grouplist[i] = talloc_strdup(sysdb_grouplist, tmp_str);
- if (!sysdb_grouplist[i]) {
- DEBUG(1, ("A group with no name?\n"));
- ret = EIO;
- goto done;
- }
- }
- sysdb_grouplist[i] = NULL;
- } else if (ret == ENOENT) {
- direct_sysdb_groups = NULL;
- direct_sysdb_count = 0;
- } else {
- DEBUG(2, ("sysdb_search_entry failed: [%d]: %s\n", ret, strerror(ret)));
+ ret = sysdb_get_direct_parents(tmp_ctx, sysdb, dom, SYSDB_MEMBER_GROUP,
+ group_name, &sysdb_grouplist);
+ if (ret) {
+ DEBUG(1, ("Could not get direct parents for %s: %d [%s]\n",
+ group_name, ret, strerror(ret)));
goto done;
}
- DEBUG(7, ("The group %s is a member of %d sysdb groups\n",
- group_name, direct_sysdb_count));
/* Filter only parents from full set */
ret = sdap_initgr_nested_get_direct_parents(tmp_ctx, group, groups,
@@ -3059,6 +3087,13 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
switch (state->opts->schema_type) {
case SDAP_SCHEMA_RFC2307:
+ ret = sdap_check_aliases(state->sysdb, state->orig_user, state->dom,
+ state->opts, false);
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
+ return;
+ }
+
subreq = sdap_initgr_rfc2307_send(state, state->ev, state->opts,
state->sysdb, state->dom, state->sh,
dp_opt_get_string(state->opts->basic,
diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c
index 6e0631aa..ba8a77f8 100644
--- a/src/responder/pam/pam_LOCAL_domain.c
+++ b/src/responder/pam/pam_LOCAL_domain.c
@@ -265,11 +265,12 @@ int LOCAL_pam_handler(struct pam_auth_req *preq)
if (res->count < 1) {
DEBUG(4, ("No user found with filter ["SYSDB_PWNAM_FILTER"]\n",
- pd->user));
+ pd->user, pd->user));
pd->pam_status = PAM_USER_UNKNOWN;
goto done;
} else if (res->count > 1) {
- DEBUG(4, ("More than one object found with filter ["SYSDB_PWNAM_FILTER"]\n"));
+ DEBUG(4, ("More than one object found with filter ["SYSDB_PWNAM_FILTER"]\n",
+ pd->user, pd->user));
lreq->error = EFAULT;
goto done;
}