diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2016-08-07 21:42:14 +0300 |
|---|---|---|
| committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-08-22 14:03:00 +0200 |
| commit | a14ebbea895a20f5a68052e32ba65c4fd7fdf670 (patch) | |
| tree | 0758623188a4310ca5cdb1e58d572328ee633b6b /daemons/ipa-kdb | |
| parent | 62be554540e83e54c8cc06ebc2cb1253c2cebeca (diff) | |
| download | freeipa-a14ebbea895a20f5a68052e32ba65c4fd7fdf670.tar.gz freeipa-a14ebbea895a20f5a68052e32ba65c4fd7fdf670.tar.xz freeipa-a14ebbea895a20f5a68052e32ba65c4fd7fdf670.zip | |
ipa-kdb: simplify trusted domain parent search
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.
In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.
For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.
Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_mspac.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 65cc03565..cf1bd5b4e 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2429,6 +2429,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) char *base = NULL; char *dnstr = NULL; char *dnl = NULL; + LDAPDN dn = NULL; char **sid_blacklist_incoming = NULL; char **sid_blacklist_outgoing = NULL; int ret, n, i; @@ -2556,26 +2557,26 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) goto done; } - /* Note that after ldap_str2rdn() call dnl will point to end of one RDN - * which would be '\0' for trust root domain and ',' for subdomain */ dnl--; dnl[0] = '\0'; - ret = ldap_str2rdn(dnstr, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3); + /* Create a DN, which is now everything before the base, + * to get list of rdn values -- the last one would be a root domain. + * Since with cross-forest trust we have to route everything via root + * domain, that is enough for us to assign parentship. */ + ret = ldap_str2dn(dnstr, &dn, LDAP_DN_FORMAT_LDAPV3); if (ret) { goto done; } - ldap_rdnfree(rdn); - - if (dnl[0] != '\0') { - dnl++; - ret = ldap_str2rdn(dnl, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3); - if (ret) { - goto done; - } - t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len); - ldap_rdnfree(rdn); + rdn = NULL; + for (i = 0; dn[i] != NULL; i++) { + rdn = dn[i]; } + /* We should have a single AVA in the domain RDN */ + t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len); + + ldap_dnfree(dn); + free(dnstr); dnstr = NULL; } |