diff options
author | Sumit Bose <sbose@redhat.com> | 2012-11-27 13:43:42 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-01-08 14:42:56 +0100 |
commit | f34ea77a5b87e778ece155485c36e756d5137686 (patch) | |
tree | f79e6fa45af1d36209c86d9ed34e56fbf29488d2 | |
parent | c9486b9a458be6bdbf5ab5aaf84a816419d7dcc5 (diff) | |
download | sssd-f34ea77a5b87e778ece155485c36e756d5137686.tar.gz sssd-f34ea77a5b87e778ece155485c36e756d5137686.tar.xz sssd-f34ea77a5b87e778ece155485c36e756d5137686.zip |
Remote groups do not have an original DN attribute
Groups from subdomains will not have an attribute holding the original
DN because in general it will not be available. This attribute is only
used by IPA HABC to improve performance and remote groups cannot be used
for access control.
-rw-r--r-- | src/responder/pac/pacsrv_cmd.c | 74 |
1 files changed, 34 insertions, 40 deletions
diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c index 16aad5d9a..49164ab3a 100644 --- a/src/responder/pac/pacsrv_cmd.c +++ b/src/responder/pac/pacsrv_cmd.c @@ -320,18 +320,14 @@ static errno_t pac_user_get_grp_info(TALLOC_CTX *mem_ctx, tmp_str = ldb_msg_find_attr_as_string(res->msgs[c + 1], SYSDB_ORIG_DN, NULL); - if (tmp_str == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("Missing original DN.\n")); - ret = EINVAL; - goto done; - } - - current_grp_list[c].orig_dn = talloc_strdup(current_grp_list, - tmp_str); - if (current_grp_list[c].orig_dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); - ret = ENOMEM; - goto done; + if (tmp_str != NULL) { + current_grp_list[c].orig_dn = talloc_strdup(current_grp_list, + tmp_str); + if (current_grp_list[c].orig_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } } current_grp_list[c].dn = ldb_dn_copy(current_grp_list, @@ -523,11 +519,13 @@ pac_save_memberships_delete(struct pac_save_memberships_state *state) goto done; } - ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, - pr_ctx->del_grp_list[c]->orig_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); - goto done; + if (pr_ctx->del_grp_list[c]->orig_dn != NULL) { + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, + pr_ctx->del_grp_list[c]->orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); + goto done; + } } } @@ -692,31 +690,27 @@ pac_store_membership(struct pac_req_ctx *pr_ctx, } orig_group_dn = ldb_msg_find_attr_as_string(group, SYSDB_ORIG_DN, NULL); - if (orig_group_dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("Original DN not found.\n")); - ret = EINVAL; - goto done; - } - - user_attrs = sysdb_new_attrs(tmp_ctx); - if (user_attrs == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_new_attrs failed.\n")); - ret = ENOMEM; - goto done; - } + if (orig_group_dn != NULL) { + user_attrs = sysdb_new_attrs(tmp_ctx); + if (user_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_new_attrs failed.\n")); + ret = ENOMEM; + goto done; + } - ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, - orig_group_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); - goto done; - } + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, + orig_group_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); + goto done; + } - ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, user_dn, user_attrs, - LDB_FLAG_MOD_ADD); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_set_entry_attr failed.\n")); - goto done; + ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, user_dn, user_attrs, + LDB_FLAG_MOD_ADD); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_set_entry_attr failed.\n")); + goto done; + } } done: |