summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/db/sysdb.h3
-rw-r--r--src/db/sysdb_ops.c71
-rw-r--r--src/providers/ipa/ipa_subdomains_id.c24
3 files changed, 94 insertions, 4 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 609921f..15cf944 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -946,6 +946,9 @@ int sysdb_mod_group_member(struct sss_domain_info *domain,
struct ldb_dn *group_dn,
int mod_op);
+errno_t sysdb_refresh_group_memberships(struct sss_domain_info *dom,
+ struct ldb_dn *dn);
+
int sysdb_store_user(struct sss_domain_info *domain,
const char *name,
const char *pwd,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 4755ea3..60bd746 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2290,6 +2290,77 @@ fail:
return ret;
}
+errno_t sysdb_refresh_group_memberships(struct sss_domain_info *dom,
+ struct ldb_dn *dn)
+{
+ int ret;
+ TALLOC_CTX *tmp_ctx;
+ const char *attrs[] = { SYSDB_MEMBEROF, NULL };
+ size_t msgs_count;
+ struct ldb_message **msgs;
+ struct ldb_message_element *groups;
+ size_t c;
+ struct ldb_dn *group_dn;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sysdb_search_entry(tmp_ctx, dom->sysdb, dn, LDB_SCOPE_BASE, NULL,
+ attrs, &msgs_count, &msgs);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed for [%s].\n",
+ ldb_dn_get_linearized(dn));
+ goto done;
+ }
+
+ if (msgs_count != 1) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Expected 1 result for base search, got [%d].\n", msgs_count);
+ ret = EINVAL;
+ goto done;
+ }
+
+ groups = ldb_msg_find_element(msgs[0], SYSDB_MEMBEROF);
+ if (groups == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "[%s] is not member of any group.\n",
+ ldb_dn_get_linearized(dn));
+ ret = EOK;
+ goto done;
+ }
+
+ for (c = 0; c < groups->num_values; c++) {
+ group_dn = ldb_dn_from_ldb_val(tmp_ctx, dom->sysdb->ldb,
+ &groups->values[c]);
+ if (group_dn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_from_ldb_val failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sysdb_mod_group_member(dom, dn, group_dn, SYSDB_MOD_DEL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_mod_group_member SYSDB_MOD_DEL failed.\n");
+ goto done;
+ }
+ ret = sysdb_mod_group_member(dom, dn, group_dn, SYSDB_MOD_ADD);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_mod_group_member SYSDB_MOD_ADD failed.\n");
+ goto done;
+ }
+ }
+
+ ret = EOK;
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
/* =Add-Basic-Netgroup-NO-CHECKS============================================= */
int sysdb_add_basic_netgroup(struct sss_domain_info *domain,
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 60245d8..7990d8c 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -629,6 +629,7 @@ struct ipa_get_ad_acct_state {
char *object_sid;
struct sysdb_attrs *override_attrs;
struct ldb_message *obj_msg;
+ struct ldb_message_element *ghosts;
};
static void ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq);
@@ -1208,7 +1209,6 @@ static errno_t ipa_check_ghost_members(struct tevent_req *req)
struct ipa_get_ad_acct_state);
errno_t ret;
struct tevent_req *subreq;
- struct ldb_message_element *ghosts = NULL;
if (state->obj_msg == NULL) {
@@ -1224,14 +1224,14 @@ static errno_t ipa_check_ghost_members(struct tevent_req *req)
}
}
- ghosts = ldb_msg_find_element(state->obj_msg, SYSDB_GHOST);
+ state->ghosts = ldb_msg_find_element(state->obj_msg, SYSDB_GHOST);
- if (ghosts != NULL) {
+ if (state->ghosts != NULL) {
/* Resolve ghost members */
subreq = ipa_resolve_user_list_send(state, state->ev,
state->ipa_ctx,
state->obj_dom->name,
- ghosts);
+ state->ghosts);
if (subreq == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n");
return ENOMEM;
@@ -1275,6 +1275,7 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
size_t groups_count = 0;
struct ldb_message **groups = NULL;
const char *attrs[] = SYSDB_INITGR_ATTRS;
+ const char *overide_name;
if (state->override_attrs != NULL) {
/* We are in ipa-server-mode, so the view is the default view by
@@ -1312,6 +1313,21 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req)
}
}
+
+ /* check if there is a override name which should replace the orignal
+ * name in the memberUid sttribute. */
+ ret = sysdb_attrs_get_string(state->override_attrs, SYSDB_NAME,
+ &overide_name);
+ if (ret == EOK) {
+ ret = sysdb_refresh_group_memberships(state->obj_dom,
+ state->obj_msg->dn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_replace_override_name_in_memberuid failed, "
+ "ignored, member names might not show overrides.\n");
+ }
+ }
+
/* Replace ID with name in search filter */
if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM)
|| (entry_type == BE_REQ_INITGROUPS