-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is most commonly seen with ActiveDirectory?. The 'group' objectClass does not have a mandatory GID attribute, and SSSD was throwing errors when trying to process groups without them (which is necessary for use on a POSIX system).
This patch updates the group filters so that we include "gidNumber=*" to filter out groups that are missing this information. Fixes https://fedorahosted.org/sssd/ticket/824 - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk15//kACgkQeiVVYja6o6OdoACfTUIU7ChLXucGywtCAM1LCQMd xpAAoKiigXs0U56+R9VryqBGfTsT7Pbq =h0WR -----END PGP SIGNATURE-----
From 969f87203f7c3384e363818f6469d68193b9e214 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <sgall...@redhat.com> Date: Fri, 11 Mar 2011 05:06:48 -0500 Subject: [PATCH] Require existence of GID number in group searches https://fedorahosted.org/sssd/ticket/824 --- src/providers/ldap/ldap_id.c | 8 +++++--- src/providers/ldap/ldap_id_enum.c | 28 ++++++++++++++++------------ src/providers/ldap/sdap_async_accounts.c | 25 +++++++++++++++---------- 3 files changed, 36 insertions(+), 25 deletions(-) diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 9a234280082f7396eda4307e9e4bb4bd63b5615c..5b1f47323ed9dfc742663e10737abe964bb42c14 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -335,9 +335,11 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, goto fail; } - state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", - attr_name, clean_name, - ctx->opts->group_map[SDAP_OC_GROUP].name); + state->filter = + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))", + attr_name, clean_name, + ctx->opts->group_map[SDAP_OC_GROUP].name, + ctx->opts->group_map[SDAP_AT_GROUP_GID].name); if (!state->filter) { DEBUG(2, ("Failed to build filter\n")); ret = ENOMEM; diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c index f47ee9fbe170bae0058a682a3a051df21cfbc0d6..ae92f9cb85199c6b451bb0f9cee4c5cbe5b776cb 100644 --- a/src/providers/ldap/ldap_id_enum.c +++ b/src/providers/ldap/ldap_id_enum.c @@ -546,19 +546,23 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx, state->op = op; if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) { - state->filter = talloc_asprintf(state, - "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))", - ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, - ctx->opts->group_map[SDAP_OC_GROUP].name, - ctx->opts->group_map[SDAP_AT_GROUP_USN].name, - ctx->srv_opts->max_group_value, - ctx->opts->group_map[SDAP_AT_GROUP_USN].name, - ctx->srv_opts->max_group_value); + state->filter = talloc_asprintf( + state, + "(&(%s=*)(objectclass=%s)(%s=*)(%s>=%s)(!(%s=%s)))", + ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, + ctx->opts->group_map[SDAP_OC_GROUP].name, + ctx->opts->group_map[SDAP_AT_GROUP_GID].name, + ctx->opts->group_map[SDAP_AT_GROUP_USN].name, + ctx->srv_opts->max_group_value, + ctx->opts->group_map[SDAP_AT_GROUP_USN].name, + ctx->srv_opts->max_group_value); } else { - state->filter = talloc_asprintf(state, - "(&(%s=*)(objectclass=%s))", - ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, - ctx->opts->group_map[SDAP_OC_GROUP].name); + state->filter = talloc_asprintf( + state, + "(&(%s=*)(objectclass=%s)(%s=*))", + ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, + ctx->opts->group_map[SDAP_OC_GROUP].name, + ctx->opts->group_map[SDAP_AT_GROUP_GID].name); } if (!state->filter) { DEBUG(2, ("Failed to build filter\n")); diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c index 8e459598674d589c0cdfcece125c183f7c95bb4d..a555803c5f4bd0e3b08242d6df98d58194acd999 100644 --- a/src/providers/ldap/sdap_async_accounts.c +++ b/src/providers/ldap/sdap_async_accounts.c @@ -2007,10 +2007,11 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, return NULL; } - filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)", opts->group_map[SDAP_AT_GROUP_MEMBER].name, clean_name, - opts->group_map[SDAP_OC_GROUP].name); + opts->group_map[SDAP_OC_GROUP].name, + opts->group_map[SDAP_AT_GROUP_GID].name); if (!filter) { talloc_zfree(req); return NULL; @@ -2211,8 +2212,9 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, return NULL; } - state->filter = talloc_asprintf(state, "(objectclass=%s)", - opts->group_map[SDAP_OC_GROUP].name); + state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*))", + opts->group_map[SDAP_OC_GROUP].name, + opts->group_map[SDAP_AT_GROUP_GID].name); if (!state->filter) { talloc_zfree(req); return NULL; @@ -3103,8 +3105,9 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req) } filter = talloc_asprintf( - sdap_attrs, "(objectclass=%s)", - state->opts->group_map[SDAP_OC_GROUP].name); + sdap_attrs, "(&(objectclass=%s)(%s=*))", + state->opts->group_map[SDAP_OC_GROUP].name, + state->opts->group_map[SDAP_AT_GROUP_GID].name); if (!filter) { talloc_free(sdap_attrs); return ENOMEM; @@ -3435,10 +3438,11 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( return NULL; } - filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))", opts->group_map[SDAP_AT_GROUP_MEMBER].name, clean_orig_dn, - opts->group_map[SDAP_OC_GROUP].name); + opts->group_map[SDAP_OC_GROUP].name, + opts->group_map[SDAP_AT_GROUP_GID].name); if (!filter) { talloc_zfree(req); return NULL; @@ -3839,10 +3843,11 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) } filter = talloc_asprintf( - tmp_ctx, "(&(%s=%s)(objectclass=%s))", + tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*))", state->opts->group_map[SDAP_AT_GROUP_MEMBER].name, clean_orig_dn, - state->opts->group_map[SDAP_OC_GROUP].name); + state->opts->group_map[SDAP_OC_GROUP].name, + state->opts->group_map[SDAP_AT_GROUP_GID].name); if (!filter) { ret = ENOMEM; goto error; -- 1.7.4
0001-Require-existence-of-GID-number-in-group-searches.patch.sig
Description: PGP signature
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel