summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-27 13:43:42 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-01-08 14:42:56 +0100
commitf34ea77a5b87e778ece155485c36e756d5137686 (patch)
treef79e6fa45af1d36209c86d9ed34e56fbf29488d2
parentc9486b9a458be6bdbf5ab5aaf84a816419d7dcc5 (diff)
downloadsssd-f34ea77a5b87e778ece155485c36e756d5137686.tar.gz
sssd-f34ea77a5b87e778ece155485c36e756d5137686.tar.xz
sssd-f34ea77a5b87e778ece155485c36e756d5137686.zip
Remote groups do not have an original DN attribute
Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control.
-rw-r--r--src/responder/pac/pacsrv_cmd.c74
1 files changed, 34 insertions, 40 deletions
diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c
index 16aad5d9a..49164ab3a 100644
--- a/src/responder/pac/pacsrv_cmd.c
+++ b/src/responder/pac/pacsrv_cmd.c
@@ -320,18 +320,14 @@ static errno_t pac_user_get_grp_info(TALLOC_CTX *mem_ctx,
tmp_str = ldb_msg_find_attr_as_string(res->msgs[c + 1],
SYSDB_ORIG_DN, NULL);
- if (tmp_str == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("Missing original DN.\n"));
- ret = EINVAL;
- goto done;
- }
-
- current_grp_list[c].orig_dn = talloc_strdup(current_grp_list,
- tmp_str);
- if (current_grp_list[c].orig_dn == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
- ret = ENOMEM;
- goto done;
+ if (tmp_str != NULL) {
+ current_grp_list[c].orig_dn = talloc_strdup(current_grp_list,
+ tmp_str);
+ if (current_grp_list[c].orig_dn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
}
current_grp_list[c].dn = ldb_dn_copy(current_grp_list,
@@ -523,11 +519,13 @@ pac_save_memberships_delete(struct pac_save_memberships_state *state)
goto done;
}
- ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
- pr_ctx->del_grp_list[c]->orig_dn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
- goto done;
+ if (pr_ctx->del_grp_list[c]->orig_dn != NULL) {
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
+ pr_ctx->del_grp_list[c]->orig_dn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
+ goto done;
+ }
}
}
@@ -692,31 +690,27 @@ pac_store_membership(struct pac_req_ctx *pr_ctx,
}
orig_group_dn = ldb_msg_find_attr_as_string(group, SYSDB_ORIG_DN, NULL);
- if (orig_group_dn == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("Original DN not found.\n"));
- ret = EINVAL;
- goto done;
- }
-
- user_attrs = sysdb_new_attrs(tmp_ctx);
- if (user_attrs == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("sysdb_new_attrs failed.\n"));
- ret = ENOMEM;
- goto done;
- }
+ if (orig_group_dn != NULL) {
+ user_attrs = sysdb_new_attrs(tmp_ctx);
+ if (user_attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_new_attrs failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
- ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
- orig_group_dn);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
- goto done;
- }
+ ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
+ orig_group_dn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n"));
+ goto done;
+ }
- ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, user_dn, user_attrs,
- LDB_FLAG_MOD_ADD);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("sysdb_set_entry_attr failed.\n"));
- goto done;
+ ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, user_dn, user_attrs,
+ LDB_FLAG_MOD_ADD);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_set_entry_attr failed.\n"));
+ goto done;
+ }
}
done: