diff options
| author | Tomas Babej <tbabej@redhat.com> | 2013-03-05 09:17:20 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-03-11 13:55:54 +0100 |
| commit | c282e74771bebceadb946fb539a6afbf4dc6cd77 (patch) | |
| tree | 7b9eda37ef3def9812ffed501f36458e7e3e6258 | |
| parent | 80055a281b43ee1f7068ba4a6e07dd7152ffe016 (diff) | |
| download | freeipa.git-c282e74771bebceadb946fb539a6afbf4dc6cd77.tar.gz freeipa.git-c282e74771bebceadb946fb539a6afbf4dc6cd77.tar.xz freeipa.git-c282e74771bebceadb946fb539a6afbf4dc6cd77.zip | |
Perform secondary rid range overlap check for local ranges only
Any of the following checks:
- overlap between primary RID range and secondary RID range
- overlap between secondary RID range and secondary RID range
is performed now only if both of the ranges involved are local
domain ranges.
https://fedorahosted.org/freeipa/ticket/3391
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 41 |
1 files changed, 25 insertions, 16 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c index 3a607636..391e2259 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c +++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c @@ -178,6 +178,11 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) bool rid_ranges_set = (r1->base_rid != 0 || r1->secondary_base_rid != 0) && (r2->base_rid != 0 || r2->secondary_base_rid != 0); + /** + * ipaNTTrustedDomainSID is not set for local ranges, use it to + * determine the type of the range **/ + bool local_ranges = r1->domain_id == NULL && r2->domain_id == NULL; + bool ranges_from_same_domain = (r1->domain_id == NULL && r2->domain_id == NULL) || (r1->domain_id != NULL && r2->domain_id != NULL && @@ -185,8 +190,7 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) /** * in case rid range is not set or ranges belong to different domains - * we can skip rid range tests as they are irrelevant - */ + * we can skip rid range tests as they are irrelevant **/ if (rid_ranges_set && ranges_from_same_domain){ /* check if rid range overlaps with existing rid range */ @@ -194,20 +198,25 @@ static int ranges_overlap(struct range_info *r1, struct range_info *r2) r1->id_range_size, r2->id_range_size)) return 2; - /* check if secondary rid range overlaps with existing secondary rid range */ - if (intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid, - r1->id_range_size, r2->id_range_size)) - return 3; - - /* check if rid range overlaps with existing secondary rid range */ - if (intervals_overlap(r1->base_rid, r2->secondary_base_rid, - r1->id_range_size, r2->id_range_size)) - return 4; - - /* check if secondary rid range overlaps with existing rid range */ - if (intervals_overlap(r1->secondary_base_rid, r2->base_rid, - r1->id_range_size, r2->id_range_size)) - return 5; + /** + * The following 3 checks are relevant only if both ranges are local. + * Check if secondary rid range overlaps with existing secondary rid + * range. **/ + if (local_ranges){ + if (intervals_overlap(r1->secondary_base_rid, + r2->secondary_base_rid, r1->id_range_size, r2->id_range_size)) + return 3; + + /* check if rid range overlaps with existing secondary rid range */ + if (intervals_overlap(r1->base_rid, r2->secondary_base_rid, + r1->id_range_size, r2->id_range_size)) + return 4; + + /* check if secondary rid range overlaps with existing rid range */ + if (intervals_overlap(r1->secondary_base_rid, r2->base_rid, + r1->id_range_size, r2->id_range_size)) + return 5; + } } return 0; |