[SSSD] [PATCH] Require existence of GID number in group searches

Fri, 11 Mar 2011 02:57:17 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is most commonly seen with ActiveDirectory?. The 'group'
objectClass does not have a mandatory GID attribute, and SSSD was
throwing errors when trying to process groups without them (which is
necessary for use on a POSIX system).

This patch updates the group filters so that we include "gidNumber=*" to
filter out groups that are missing this information.

Fixes https://fedorahosted.org/sssd/ticket/824


- -- 
Stephen Gallagher

RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk15//kACgkQeiVVYja6o6OdoACfTUIU7ChLXucGywtCAM1LCQMd
xpAAoKiigXs0U56+R9VryqBGfTsT7Pbq
=h0WR
-----END PGP SIGNATURE-----

From 969f87203f7c3384e363818f6469d68193b9e214 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Fri, 11 Mar 2011 05:06:48 -0500
Subject: [PATCH] Require existence of GID number in group searches

https://fedorahosted.org/sssd/ticket/824
---
 src/providers/ldap/ldap_id.c             |    8 +++++---
 src/providers/ldap/ldap_id_enum.c        |   28 ++++++++++++++++------------
 src/providers/ldap/sdap_async_accounts.c |   25 +++++++++++++++----------
 3 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 9a234280082f7396eda4307e9e4bb4bd63b5615c..5b1f47323ed9dfc742663e10737abe964bb42c14 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -335,9 +335,11 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
         goto fail;
     }
 
-    state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
-                                    attr_name, clean_name,
-                                    ctx->opts->group_map[SDAP_OC_GROUP].name);
+    state->filter =
+            talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))",
+                            attr_name, clean_name,
+                            ctx->opts->group_map[SDAP_OC_GROUP].name,
+                            ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
     if (!state->filter) {
         DEBUG(2, ("Failed to build filter\n"));
         ret = ENOMEM;
diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
index f47ee9fbe170bae0058a682a3a051df21cfbc0d6..ae92f9cb85199c6b451bb0f9cee4c5cbe5b776cb 100644
--- a/src/providers/ldap/ldap_id_enum.c
+++ b/src/providers/ldap/ldap_id_enum.c
@@ -546,19 +546,23 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
     state->op = op;
 
     if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) {
-        state->filter = talloc_asprintf(state,
-                              "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))",
-                              ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
-                              ctx->opts->group_map[SDAP_OC_GROUP].name,
-                              ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
-                              ctx->srv_opts->max_group_value,
-                              ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
-                              ctx->srv_opts->max_group_value);
+        state->filter = talloc_asprintf(
+                state,
+                "(&(%s=*)(objectclass=%s)(%s=*)(%s>=%s)(!(%s=%s)))",
+                ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+                ctx->opts->group_map[SDAP_OC_GROUP].name,
+                ctx->opts->group_map[SDAP_AT_GROUP_GID].name,
+                ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+                ctx->srv_opts->max_group_value,
+                ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+                ctx->srv_opts->max_group_value);
     } else {
-        state->filter = talloc_asprintf(state,
-                              "(&(%s=*)(objectclass=%s))",
-                              ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
-                              ctx->opts->group_map[SDAP_OC_GROUP].name);
+        state->filter = talloc_asprintf(
+                state,
+                "(&(%s=*)(objectclass=%s)(%s=*))",
+                ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+                ctx->opts->group_map[SDAP_OC_GROUP].name,
+                ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
     }
     if (!state->filter) {
         DEBUG(2, ("Failed to build filter\n"));
diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
index 8e459598674d589c0cdfcece125c183f7c95bb4d..a555803c5f4bd0e3b08242d6df98d58194acd999 100644
--- a/src/providers/ldap/sdap_async_accounts.c
+++ b/src/providers/ldap/sdap_async_accounts.c
@@ -2007,10 +2007,11 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
         return NULL;
     }
 
-    filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+    filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)",
                              opts->group_map[SDAP_AT_GROUP_MEMBER].name,
                              clean_name,
-                             opts->group_map[SDAP_OC_GROUP].name);
+                             opts->group_map[SDAP_OC_GROUP].name,
+                             opts->group_map[SDAP_AT_GROUP_GID].name);
     if (!filter) {
         talloc_zfree(req);
         return NULL;
@@ -2211,8 +2212,9 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
         return NULL;
     }
 
-    state->filter = talloc_asprintf(state, "(objectclass=%s)",
-                                    opts->group_map[SDAP_OC_GROUP].name);
+    state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*))",
+                                    opts->group_map[SDAP_OC_GROUP].name,
+                                    opts->group_map[SDAP_AT_GROUP_GID].name);
     if (!state->filter) {
         talloc_zfree(req);
         return NULL;
@@ -3103,8 +3105,9 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
     }
 
     filter = talloc_asprintf(
-            sdap_attrs, "(objectclass=%s)",
-            state->opts->group_map[SDAP_OC_GROUP].name);
+            sdap_attrs, "(&(objectclass=%s)(%s=*))",
+            state->opts->group_map[SDAP_OC_GROUP].name,
+            state->opts->group_map[SDAP_AT_GROUP_GID].name);
     if (!filter) {
         talloc_free(sdap_attrs);
         return ENOMEM;
@@ -3435,10 +3438,11 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
         return NULL;
     }
 
-    filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+    filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))",
                              opts->group_map[SDAP_AT_GROUP_MEMBER].name,
                              clean_orig_dn,
-                             opts->group_map[SDAP_OC_GROUP].name);
+                             opts->group_map[SDAP_OC_GROUP].name,
+                             opts->group_map[SDAP_AT_GROUP_GID].name);
     if (!filter) {
         talloc_zfree(req);
         return NULL;
@@ -3839,10 +3843,11 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
     }
 
     filter = talloc_asprintf(
-            tmp_ctx, "(&(%s=%s)(objectclass=%s))",
+            tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*))",
             state->opts->group_map[SDAP_AT_GROUP_MEMBER].name,
             clean_orig_dn,
-            state->opts->group_map[SDAP_OC_GROUP].name);
+            state->opts->group_map[SDAP_OC_GROUP].name,
+            state->opts->group_map[SDAP_AT_GROUP_GID].name);
     if (!filter) {
         ret = ENOMEM;
         goto error;
-- 
1.7.4

Attachment: 0001-Require-existence-of-GID-number-in-group-searches.patch.sig
Description: PGP signature

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to