| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently a new override for a non-default view cannot be displayed at
run-time. It even does not only require a restart but the view must be
un-applied and applied again to make the changes visible.
This patch fixes this and makes non-default view behave like the default
view where the data from a newly added override are displayed after the
cached entry of the related object is expired.
Resolves https://fedorahosted.org/sssd/ticket/3092
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Functions sysdb_user_base_dn() and sysdb_group_base_dn() expect
that struct sss_domain_info contains pointer to struct sysdb_ctx.
This is not true in case of sysdb_upgrade functions.
This patch fixes the situation and revert code to the state before
12a000c8c7c07259e438fb1e992134bdd07d9a30 commit.
Resolves:
https://fedorahosted.org/sssd/ticket/3023
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
and override objects
Runs a sysdb upgrade that changes objects that represent users, groups,
sudo rules and overrides to the new schema, which uses the fully
qualified names.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
When the cache is upgraded, we want to avoid upgrading the timestamps
cache, because it was only introduced recently in Beta, so it doesn't
make senes to write complex code to change the format.
This patch rather removes the cache during upgrade, it will be recreated
with later lookups anyway.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes several issues introduced during the recent sysdb
upgrade:
1) The upgrade code often accesses sysdb->ldb, but at this point,
the ldb pointer might not be initialized yet. As a kind of an ugly,
yet functional workaround, we pass in the ldb pointer that we
received from the caller as part of the sysdb structure.
2) the version that sysdb_domain_cache_upgrade() returns is not a
talloc pointer, so the upgrade was crashing when we tried to steal
it.
3) the ldb pointer sysdb_cache_connect() returns was kept allocated
on the tmp_ctx. We need to steal it instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
| |
We decide on whether to upgrade or not based on a pointer value, not a
boolean. This pointer points to a structure that the upgrade invoker
(typically the monitor) can use to fill auxilary data the sysdb upgrade
has no means of instantiating.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
The function sysdb_init() is never used to allow upgrade, so the
allow_upgrade parameter was pointless.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
sysdb_add_group_member_overrides
Because all users and groups are stored the same way in sysdb, we can
avoid parsing and unparsing the name with NSS functions and instead just
grab the name from the FQDN in the cache.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
Adds a utility function the LDAP provider can use. This is different
from sss_create_internal_fqname_list in the sense that the LDAP provider
passes in the attribute name that contains the name attribute value.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
case subdomain users
All user and group names use the same unified format in the cache, so
there's no need to special-case subdomains and create different names
for the main domain and a subdomain.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
All user and group names are standardized to be fully qualified, so
there's no need to provide per-domain names anymore.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
This patch infers the member domain from the FQDN to allow the function
to add group members from different domains.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Passing address of unsigned to the output argument size_t causes
access out of boundaries for type unsigned and and wrong data
on big endian. It looks like functions sysdb_search_ts_{users,groups}
need to store results in structure ldb_result anyway for further processing.
Therefore it will be better to convert output arguments
size_t* + ldb_message*** into structure ldb_result and avoid using
additional helper variable with type size_t before each invocation
of these functions.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2602
Uses the same logic as previously used for updating group entries to
only update user attributes if the group entry actually changed.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Splits sysdb_store_user internals to two functions because the original
function either creates a new user or updates an existing one.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a new function sysdb_entry_attrs_diff() used in group saving code.
This function is used to check if the result of updating a group would
result in actually changing the sysdb entry -- often, we would try to
dump the same data to the cache during update. If that's the case, the
update code now only updates the timestamp cache, avoiding costly
writes.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2602
If the entry being saved contains the original modifyTimestamp attribute
and the modifyTimestamp attribute is the same as the one we already
saved to the timestamp cache, only the expire timestamps in the
asynchronous timestamp cache will be bumped and the sysdb code will
avoid writes to the main cache completely. If the modifyTimestamp is
either missing or differs, we assume the entry had changed and do a full
write to the main cache.
Also amends the generic sysdb_set_attrs* and similar functions that
their results is also reflected in the timestamps cache.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a sysdb entry is searched, the sysdb cache is consulted first
for users or groups. If an entry is found in the sysdb cache, the
attributes from the timestamp cache are merged to return the full and
up-to-date set of attributes.
The merging is done with a single BASE search which is a direct lookup
into the underlying key-value database, so it should be relatively fast.
More complex merging is done only for enumeration by filter which is
currently done only via the IFP back end and should be quite
infrequent, so I hope we can justify a more complex merging there.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
functions
sysdb_store_group can do several things -- add, rename or update a
group. It's important they are all done in a single transaction (even
though the caller should typically start a transaction of his own).
Also split the sysdb_store_group function into two, one that only stores
a new group and one that changes attributes of an existing group to keep
the flow easy and avoid two labels in a single function.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
For all domain types, except the local domain, open a connection to a
new ldb file located at /var/lib/sss/db names timestamps_$domain.ldb.
Constructs the ldb file path manually in sysdb_check_upgrade_02() but
that should be acceptable because nobody should be running such an old
cache these days anyway.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Uses the generic functions in sysdb_init.c to open a new ldb database.
The path to the database and the ldb context are stored in the
sysdb_ctx. The database will be used to store ephemeral attributes such
as timestamps. Because these attributes are not required for SSSD
operation and the intent is for writes to this cache to be very fast,
the database is opened with LDB_FLG_NOSYNC flag. At the same time, none
of the attributes of the cache is required for sssd operation, so if we
fail to open the database, we just start over.
Adds a separate base LDIF with attributes that are supposed to be
indexed in the timestamp database as well as a separate timestamp cache
version.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the functions in sysdb_init.c so that the functions are usable
to initialize a second cache to store timestamps. In particular,
functions that operated on sysdb->ldb now operate on a generic ldb
context so that a new ldb_ts context can be used later. Existing
functions that initialize the sysdb cache call the generic functions
with sysdb->ldb as a parameter.
Splits out a function to initialize an empty ldb database with a generic
LDIF.
Splits out the sysdb upgrade function because the upgrade will only be
used by the sysdb cache, the timestamp cache will start with a different
version and might receive separate upgrade functions in the future.
The ldb connection function accepts ldb flags parameter, currently
unused.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
We used really strange errno codes for detecting whether the database is
too old or too new. We should use our sssd-specific error coded instead.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The sysdb initialization was in the sysdb.c module. With adding
initialization of the timestamp cache, this module would become too big
with too many private functions meant only for initialization.
This patch only moves code around, there are no functional changes to
the initialization.
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Actually adds marks for sysdb transactions that receive the transaction
nesting level as an argument. The nesting is passed on from probes to
marks along with a human-friendly description.
The transaction commit is decorated with two probes, before and after.
This would allow the caller to distinguish between the time we spend in
the transaction (which might be important, because if a transaction is
active on an ldb context, even the readers are blocked before the
transaction completes) and the time we spend commiting the transaction
(which is important because that's when the disk writes occur)
The probes would be installed into /usr/share/systemtap/tapset on RHEL
and Fedora. This is in line with systemtap's paths which are described
in detail in "man 7 stappaths".
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Adds an integer that tracks how deeply nested we are in sysdb
transactions. This will become useful later, because generally we are
only interested in level-0 transactions when probing, so we'll want to
pass the transaction nesting to the systemtap probes.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the add_ulong() convenience can add, replace or remove a unsigned
long according to the operation received as its argument, some confusion
can easily happen due to its misleading name.
In order to improve the explicitness of our code, let's introduce
sysdb_add_ulong(), sysdb_replace_ulong() and sysdb_delete_ulong().
These new functions are basically wrappers of add_ulong() (now
sysdb_ldb_msg_ulong_helper()), calling it using the proper flag
according to each function.
Any code previously using add_ulong() is now adapted to use these brand
new functions.
Related: https://fedorahosted.org/sssd/ticket/1656
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Considering that sysdb.c is about utilities around our cache and that
sysdb_ops.c is about operations on objects, seems that add_ulong()
could fit better in sysdb.c.
This move is a suggestion from Jakub Hrozek.
Related: https://fedorahosted.org/sssd/ticket/1656
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As the add_string() convenience can add, replace or delete a string
according to the operation received as its argument, some confusion can
easily happen due to its misleading name.
In order to improve the explicitness of our code, let's introduce
sysdb_add_string(), sysdb_replace_string() and sysdb_delete_string().
These new functions are basically wrappers of add_string() (now
sysdb_ldb_msg_string_helper()), calling it using the proper flag
according to each function.
Any code previously using add_string() is now adapted to use these brand
new functions.
Resolves: https://fedorahosted.org/sssd/ticket/1656
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Considering that sysdb.c is about utilities around our cache and that
sysdb_ops.c is about operations on objects, seems that add_string()
could fit better in sysdb.c.
This move is a suggestion from Jakub Hrozek.
Related: https://fedorahosted.org/sssd/ticket/1656
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds two new functions into public
API of sysdb_sudo:
* sysdb_search_sudo_rules
* sysdb_set_sudo_rule_attr
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sysdb_search_custom cannot return EOK
and together set output argument count to zero.
This case is already handled in function sysdb_search_entry
which is used inside sysdb_search_custom.
Such useless test can just cause read of unitialized variable
in case of other errors returned from sysdb_search_custom.
Error: UNINIT (CWE-457): [#def1]
sssd-1.13.4/src/db/sysdb_sudo.c:678:
var_decl: Declaring variable "count" without initializer.
sssd-1.13.4/src/db/sysdb_sudo.c:698:
uninit_use: Using uninitialized value "count".
# 696| SUDORULE_SUBDIR, attrs,
# 697| &count, &msgs);
# 698|-> if (ret == ENOENT || count == 0) {
# 699| DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
# 700| ret = EOK;
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/2158
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This allows configuration with id_provider = proxy
and sudo_provider = ipa when someone needs to fetch
rules for local users.
https://fedorahosted.org/sssd/ticket/2972
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Global Catalog of AD contains some information about all users and
groups in an AD forest. Users from different domain in the forest can
have the same name. The most obvious example is the Administrator user
which is present in all domains. Although SSSD uses a domain specific
search base for looking up users in the GC the search might still return
multiple results if there is a user with the same name in one of the
child (or grand-child ...) domains because of the hierarchic nature of
the LDAP tree. Limiting the search depth would not help because users
can be created in deeply nested OUs.
Currently SSSD expects in this case that the user object is store in
CN=Users or below. This works for all default users like Administrator
but in general users can be created anywhere in the directory tree. If a
user is created outside of CN=Users and there is a user with the same
name in a child domain the initgroups command to look up the
group-memberships of the user fails because it is not clear which of the
two results should be used (initgroups for the child domain user works
fine).
This patch adds an additional scheme to select the right result based on
the domain component attribute name 'dc'. This attribute indicates an
additional component in the domain name and hence a child domain. So as
long as the result contains a dc component following out search base it
cannot be the object we are looking for. This scheme includes the old
CN=Users based one but since it is more expensive I kept the old scheme
which so far worked all the time and only use the new one if the old one
fails.
Resolves https://fedorahosted.org/sssd/ticket/2961
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user is not found by cert lookup when the user is already
cached, two things may happen:
1) cert was removed from the user object
2) user was removed
Instead of issuing another cert lookup we will just remove cert
attribute from the cache not touching the expiration timestamp so
the user may be updated later when needed.
Resolves:
https://fedorahosted.org/sssd/ticket/2934
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
Required for:
https://fedorahosted.org/sssd/ticket/2522
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user name of a AD user is overridden with the name itself in an
IPA override object SSSD adds this name twice to the alias list causing
an ldb error when trying to write the user object to the cache. As a
result the user is not available.
This patch makes sure that there are no duplicated alias names.
Resolves https://fedorahosted.org/sssd/ticket/2874
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Recent get_next_domain refactoring enabled
us to use it also for disabled domains.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|