URL: https://github.com/SSSD/sssd/pull/243 Author: jhrozek Title: #243: IPA: Use search bases from sdap_domain instead of inferring search base from IPA domain structure Action: opened
PR body: """ This PR fixes https://pagure.io/SSSD/sssd/issue/3378 To test the patch, add some external groups (ipa group-add --external) that contain members from a trusted AD domain on an IPA server. Then, resolve the AD domain object. Before the patch, the search for the ipaExternalGroup class objects would have been based on the root search base of the IPA server, after the patch it should be based on the cn=accounts subtree. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/243/head:pr243 git checkout pr243
From c48762e7b3dd07cdd8487aa7930cab380531c5bd Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Fri, 21 Apr 2017 15:30:37 +0200 Subject: [PATCH 1/2] LDAP: Allow passing a NULL map to sdap_search_bases_ex_send NULL attribute map and a NULL list of attributes should translate into "fetch all entry attributes" Required for: https://pagure.io/SSSD/sssd/issue/3378 --- src/providers/ldap/sdap_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/providers/ldap/sdap_ops.c b/src/providers/ldap/sdap_ops.c index 3fc968f..a908574 100644 --- a/src/providers/ldap/sdap_ops.c +++ b/src/providers/ldap/sdap_ops.c @@ -101,7 +101,7 @@ sdap_search_bases_ex_send(TALLOC_CTX *mem_ctx, state->map_num_attrs = 0; } - if (state->attrs == NULL) { + if (state->attrs == NULL && state->map != NULL) { ret = build_attrs_from_map(state, state->map, state->map_num_attrs, NULL, &state->attrs, NULL); if (ret != EOK) { From df6c08dcbaa1ef4dcdb8094f17c953c344fcfd08 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Tue, 18 Apr 2017 11:47:30 +0200 Subject: [PATCH 2/2] IPA: Use search bases instead of domain_to_basedn when fetching external groups Instead of deriving the search base from the IPA domain name, actually use the search base from the sdap_domain structure. This has primarily the advantage of not matching groups in the compat tree. Resolves: https://pagure.io/SSSD/sssd/issue/3378 --- src/providers/ipa/ipa_subdomains_ext_groups.c | 30 ++++++++++++--------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c index d5727cc..505d89a 100644 --- a/src/providers/ipa/ipa_subdomains_ext_groups.c +++ b/src/providers/ipa/ipa_subdomains_ext_groups.c @@ -27,6 +27,7 @@ #include "db/sysdb.h" #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_ops.h" #include "providers/ipa/ipa_id.h" #include "providers/ad/ad_id.h" #include "providers/ipa/ipa_subdomains.h" @@ -529,7 +530,6 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq) struct get_ad_membership_state *state = tevent_req_data(req, struct get_ad_membership_state); int ret; - char *basedn; ret = sdap_id_op_connect_recv(subreq, &state->dp_error); talloc_zfree(subreq); @@ -546,20 +546,14 @@ static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq) goto fail; } - - ret = domain_to_basedn(state, state->domain, &basedn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); - goto fail; - } - - subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts, - sdap_id_op_handle(state->sdap_op), basedn, - LDAP_SCOPE_SUBTREE, - IPA_EXT_GROUPS_FILTER, NULL, NULL, 0, - dp_opt_get_int(state->sdap_id_ctx->opts->basic, - SDAP_ENUM_SEARCH_TIMEOUT), - false); + subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts, + sdap_id_op_handle(state->sdap_op), + state->sdap_id_ctx->opts->sdom->group_search_bases, + NULL, false, + dp_opt_get_int(state->sdap_id_ctx->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + IPA_EXT_GROUPS_FILTER, + NULL); if (subreq == NULL) { DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); ret = ENOMEM; @@ -583,8 +577,10 @@ static void ipa_get_ext_groups_done(struct tevent_req *subreq) int ret; hash_table_t *ext_group_hash; - ret = sdap_get_generic_recv(subreq, state, - &state->reply_count, &state->reply); + ret = sdap_search_bases_recv(subreq, + state, + &state->reply_count, + &state->reply); talloc_zfree(subreq); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n");
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org