[SSSD] [PATCH] sudo smart refresh: do not include usn in filter if no valid usn is known

Mon, 07 Jan 2013 02:18:02 -0800 

https://fedorahosted.org/sssd/ticket/1736

The problem only occurs on OpenLDAP server.

From ff57237ac03425fd4c58c3c6fee581dd9750d06d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 7 Jan 2013 09:56:18 +0100
Subject: [PATCH 1/2] sudo smart refresh: do not include usn in filter if no
 valid usn is known

https://fedorahosted.org/sssd/ticket/1736

When there are no rules during first refresh, we don't have valid
USN value. We use 0 in this case, but it turned out that OpenLDAP
takes it as invalid time format (if modifyTimestamp is used instead
of USN) and thus returns no records.

Now we don't include USN/modifyTimestamp attribute in the filter
if such situasion occurs.
---
 src/providers/ldap/sdap_sudo.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 047ba587d05f250230aa0dec6af81e8d3579b387..2e900051dd6c1042c13bd2cec3576b40831c12d3 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -865,11 +865,18 @@ static struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
     state->sysdb = id_ctx->be->sysdb;
 
     /* Download all rules from LDAP that are newer than usn */
-    usn = srv_opts->max_sudo_value == NULL ? "0" : srv_opts->max_sudo_value;
-    ldap_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))",
-                                  map[SDAP_OC_SUDORULE].name,
-                                  map[SDAP_AT_SUDO_USN].name, usn,
-                                  map[SDAP_AT_SUDO_USN].name, usn);
+    usn = srv_opts->max_sudo_value;
+    if (usn != NULL) {
+        ldap_filter = talloc_asprintf(state,
+                                      "(&(objectclass=%s)(%s>=%s)(!(%s=%s)))",
+                                      map[SDAP_OC_SUDORULE].name,
+                                      map[SDAP_AT_SUDO_USN].name, usn,
+                                      map[SDAP_AT_SUDO_USN].name, usn);
+    } else {
+        /* no valid USN value known */
+        ldap_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS,
+                                      map[SDAP_OC_SUDORULE].name);
+    }
     if (ldap_filter == NULL) {
         ret = ENOMEM;
         goto immediately;
-- 
1.7.11.7


From 4898807f09f61dcf28131625368fc4b40071efef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 7 Jan 2013 11:13:40 +0100
Subject: [PATCH 2/2] sudo smart refresh: fix debug message

---
 src/providers/ldap/sdap_sudo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
index 2e900051dd6c1042c13bd2cec3576b40831c12d3..4d24a619b92d34833b6eb3b5f99d2a770012ae42 100644
--- a/src/providers/ldap/sdap_sudo.c
+++ b/src/providers/ldap/sdap_sudo.c
@@ -892,7 +892,7 @@ static struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx,
      * sysdb_filter = NULL; */
 
     DEBUG(SSSDBG_TRACE_FUNC, ("Issuing a smart refresh of sudo rules "
-                              "(USN >= %s)\n", srv_opts->max_sudo_value));
+                              "(USN > %s)\n", (usn == NULL ? "0" : usn)));
 
     subreq = sdap_sudo_refresh_send(state, id_ctx->be, id_ctx->opts,
                                     id_ctx->conn_cache,
-- 
1.7.11.7


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to