[SSSD] [sssd PR#243][opened] IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure

Fri, 21 Apr 2017 06:44:17 -0700 

   URL: https://github.com/SSSD/sssd/pull/243
Author: jhrozek
 Title: #243: IPA: Use search bases from sdap_domain instead of inferring 
search base from IPA domain structure
Action: opened

PR body:
"""
This PR fixes https://pagure.io/SSSD/sssd/issue/3378

To test the patch, add some external groups (ipa group-add --external)
that contain members from a trusted AD domain on an IPA server. Then,
resolve the AD domain object.

Before the patch, the search for the ipaExternalGroup class objects would
have been based on the root search base of the IPA server, after the patch
it should be based on the cn=accounts subtree.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/243/head:pr243
git checkout pr243

From c48762e7b3dd07cdd8487aa7930cab380531c5bd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Fri, 21 Apr 2017 15:30:37 +0200
Subject: [PATCH 1/2] LDAP: Allow passing a NULL map to
 sdap_search_bases_ex_send

NULL attribute map and a NULL list of attributes should translate into
"fetch all entry attributes"

Required for:
    https://pagure.io/SSSD/sssd/issue/3378
---
 src/providers/ldap/sdap_ops.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ldap/sdap_ops.c b/src/providers/ldap/sdap_ops.c
index 3fc968f..a908574 100644
--- a/src/providers/ldap/sdap_ops.c
+++ b/src/providers/ldap/sdap_ops.c
@@ -101,7 +101,7 @@ sdap_search_bases_ex_send(TALLOC_CTX *mem_ctx,
         state->map_num_attrs = 0;
     }
 
-    if (state->attrs == NULL) {
+    if (state->attrs == NULL && state->map != NULL) {
         ret = build_attrs_from_map(state, state->map, state->map_num_attrs,
                                    NULL, &state->attrs, NULL);
         if (ret != EOK) {

From df6c08dcbaa1ef4dcdb8094f17c953c344fcfd08 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Tue, 18 Apr 2017 11:47:30 +0200
Subject: [PATCH 2/2] IPA: Use search bases instead of domain_to_basedn when
 fetching external groups

Instead of deriving the search base from the IPA domain name, actually
use the search base from the sdap_domain structure.

This has primarily the advantage of not matching groups in the compat
tree.

Resolves:
    https://pagure.io/SSSD/sssd/issue/3378
---
 src/providers/ipa/ipa_subdomains_ext_groups.c | 30 ++++++++++++---------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index d5727cc..505d89a 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -27,6 +27,7 @@
 #include "db/sysdb.h"
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap_async.h"
+#include "providers/ldap/sdap_ops.h"
 #include "providers/ipa/ipa_id.h"
 #include "providers/ad/ad_id.h"
 #include "providers/ipa/ipa_subdomains.h"
@@ -529,7 +530,6 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
     struct get_ad_membership_state *state = tevent_req_data(req,
                                                 struct get_ad_membership_state);
     int ret;
-    char *basedn;
 
     ret = sdap_id_op_connect_recv(subreq, &state->dp_error);
     talloc_zfree(subreq);
@@ -546,20 +546,14 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
         goto fail;
     }
 
-
-    ret = domain_to_basedn(state, state->domain, &basedn);
-    if (ret != EOK) {
-        DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n");
-        goto fail;
-    }
-
-    subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts,
-                                 sdap_id_op_handle(state->sdap_op), basedn,
-                                 LDAP_SCOPE_SUBTREE,
-                                 IPA_EXT_GROUPS_FILTER, NULL, NULL, 0,
-                                 dp_opt_get_int(state->sdap_id_ctx->opts->basic,
-                                                SDAP_ENUM_SEARCH_TIMEOUT),
-                                 false);
+    subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts,
+                            sdap_id_op_handle(state->sdap_op),
+                            state->sdap_id_ctx->opts->sdom->group_search_bases,
+                            NULL, false,
+                            dp_opt_get_int(state->sdap_id_ctx->opts->basic,
+                                            SDAP_ENUM_SEARCH_TIMEOUT),
+                            IPA_EXT_GROUPS_FILTER,
+                            NULL);
     if (subreq == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
         ret = ENOMEM;
@@ -583,8 +577,10 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq)
     int ret;
     hash_table_t *ext_group_hash;
 
-    ret = sdap_get_generic_recv(subreq, state,
-                                &state->reply_count, &state->reply);
+    ret = sdap_search_bases_recv(subreq,
+                                 state,
+                                 &state->reply_count,
+                                 &state->reply);
     talloc_zfree(subreq);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n");

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to