URL: https://github.com/SSSD/sssd/pull/254
Author: mzidek-rh
Title: #254: Handling of sdap_domain lists in server mode
Action: opened
PR body:
"""
SERVER_MODE: Update sdap lists for each ad_ctx
We use separate AD context for each subdomain in the server mode.
Every such context has it's own sdap_domain list witch represents
sdap options such as filter and search bases for every domain.
However AD context can only fully initialize sdap_domain structure
for the same domain for which the whole context was created, which
resulted in the other sdap_domain structures to be have automatically
detected settings. This can cause problems if user is member of
groups from multiple domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3381
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/254/head:pr254
git checkout pr254
From 3a9cb20e8764ddc4f07efd18975df1497a6487eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
Date: Tue, 11 Apr 2017 19:56:37 +0200
Subject: [PATCH 1/2] SDAP: Fix handling of search bases
We were rewriting the sdap_domain's search bases for only the first
sdap_domain in the list, which does not work for subdomains.
Also when search bases were already initialized in sdap_domain_subdom_add,
we should only rewrite them when they were explicitly set in sssd.conf.
Resolves:
https://pagure.io/SSSD/sssd/issue/3351
---
src/providers/ad/ad_common.c | 39 +++++++++++++++++++++----------
src/providers/ad/ad_common.h | 3 ++-
src/providers/ipa/ipa_subdomains_server.c | 2 +-
src/providers/ldap/ldap_options.c | 2 --
4 files changed, 30 insertions(+), 16 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index f893b74..1a9d8dc 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -29,7 +29,8 @@ struct ad_server_data {
bool gc;
};
-errno_t ad_set_search_bases(struct sdap_options *id_opts);
+errno_t ad_set_search_bases(struct sdap_options *id_opts,
+ struct sdap_domain *sdap);
static errno_t ad_set_sdap_options(struct ad_options *ad_opts,
struct sdap_options *id_opts);
@@ -1074,7 +1075,7 @@ ad_get_id_options(struct ad_options *ad_opts,
}
/* Set up search bases if they were assigned explicitly */
- ret = ad_set_search_bases(id_opts);
+ ret = ad_set_search_bases(id_opts, NULL);
if (ret != EOK) {
talloc_free(id_opts);
return ret;
@@ -1116,11 +1117,14 @@ ad_get_autofs_options(struct ad_options *ad_opts,
}
errno_t
-ad_set_search_bases(struct sdap_options *id_opts)
+ad_set_search_bases(struct sdap_options *id_opts,
+ struct sdap_domain *sdom)
{
errno_t ret;
- char *default_search_base;
+ char *default_search_base = NULL;
size_t o;
+ struct sdap_domain *sdap_dom;
+ bool has_default;
const int search_base_options[] = { SDAP_USER_SEARCH_BASE,
SDAP_GROUP_SEARCH_BASE,
SDAP_NETGROUP_SEARCH_BASE,
@@ -1132,10 +1136,21 @@ ad_set_search_bases(struct sdap_options *id_opts)
* been specifically overridden.
*/
- default_search_base =
- dp_opt_get_string(id_opts->basic, SDAP_SEARCH_BASE);
+ if (sdom != NULL) {
+ sdap_dom = sdom;
+ } else {
+ /* If no specific sdom was given, use the first in the list. */
+ sdap_dom = id_opts->sdom;
+ }
+
+ has_default = sdap_dom->search_bases != NULL;
+
+ if (has_default == false) {
+ default_search_base =
+ dp_opt_get_string(id_opts->basic, SDAP_SEARCH_BASE);
+ }
- if (default_search_base) {
+ if (default_search_base && has_default == false) {
/* set search bases if they are not */
for (o = 0; search_base_options[o] != -1; o++) {
if (NULL == dp_opt_get_string(id_opts->basic,
@@ -1162,31 +1177,31 @@ ad_set_search_bases(struct sdap_options *id_opts)
/* Default search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_SEARCH_BASE,
- &id_opts->sdom->search_bases);
+ &sdap_dom->search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* User search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_USER_SEARCH_BASE,
- &id_opts->sdom->user_search_bases);
+ &sdap_dom->user_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Group search base */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_GROUP_SEARCH_BASE,
- &id_opts->sdom->group_search_bases);
+ &sdap_dom->group_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Netgroup search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_NETGROUP_SEARCH_BASE,
- &id_opts->sdom->netgroup_search_bases);
+ &sdap_dom->netgroup_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
/* Service search */
ret = sdap_parse_search_base(id_opts, id_opts->basic,
SDAP_SERVICE_SEARCH_BASE,
- &id_opts->sdom->service_search_bases);
+ &sdap_dom->service_search_bases);
if (ret != EOK && ret != ENOENT) goto done;
ret = EOK;
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
index 2981550..ce33b37 100644
--- a/src/providers/ad/ad_common.h
+++ b/src/providers/ad/ad_common.h
@@ -130,7 +130,8 @@ struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx,
const char *keytab,
const char *sasl_authid);
-errno_t ad_set_search_bases(struct sdap_options *id_opts);
+errno_t ad_set_search_bases(struct sdap_options *id_opts,
+ struct sdap_domain *sdap);
errno_t
ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx,
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index e8ee303..b02ea67 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -332,7 +332,7 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx,
return EFAULT;
}
- ret = ad_set_search_bases(ad_options->id);
+ ret = ad_set_search_bases(ad_options->id, sdom);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD search bases\n");
talloc_free(ad_options);
diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c
index 15a2609..eb4e177 100644
--- a/src/providers/ldap/ldap_options.c
+++ b/src/providers/ldap/ldap_options.c
@@ -581,8 +581,6 @@ errno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx,
char *unparsed_base;
const char *old_filter = NULL;
- *_search_bases = NULL;
-
switch (class) {
case SDAP_SEARCH_BASE:
class_name = "DEFAULT";
From ddf911c2ebac1409d954d4df4e29903adab87313 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
Date: Fri, 28 Apr 2017 20:49:56 +0200
Subject: [PATCH 2/2] SERVER_MODE: Update sdap lists for each ad_ctx
We use separate AD context for each subdomain in the server mode.
Every such context has it's own sdap_domain list witch represents
sdap options such as filter and search bases for every domain.
However AD context can only fully initialize sdap_domain structure
for the same domain for which the whole context was created, which
resulted in the other sdap_domain structures to be have automaticily
detected settings. This can cause problems if user is member of
groups from multiple domains.
Resolves:
https://pagure.io/SSSD/sssd/issue/3381
---
src/providers/ipa/ipa_subdomains_server.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index b02ea67..86b1c32 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -870,6 +870,7 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req)
{
struct tevent_req *subreq = NULL;
struct ipa_ad_server_ctx *trust_iter;
+ struct ipa_ad_server_ctx *trust_i;
struct ipa_server_create_trusts_state *state = NULL;
state = tevent_req_data(req, struct ipa_server_create_trusts_state);
@@ -900,6 +901,35 @@ static errno_t ipa_server_create_trusts_step(struct tevent_req *req)
}
}
+ /* Refresh all sdap_dom lists in all ipa_ad_server_ctx contexts */
+ DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) {
+ struct sdap_domain *sdom_a;
+
+ sdom_a = sdap_domain_get(trust_iter->ad_id_ctx->sdap_id_ctx->opts,
+ trust_iter->dom);
+
+ DLIST_FOR_EACH(trust_i, state->id_ctx->server_mode->trusts) {
+ struct sdap_domain *sdom_b;
+
+ if (strcmp(trust_iter->dom->name, trust_i->dom->name) == 0) {
+ continue;
+ }
+
+ sdom_b = sdap_domain_get(trust_i->ad_id_ctx->sdap_id_ctx->opts,
+ sdom_a->dom);
+
+ /* Replace basedn and search bases from sdom_b with values
+ * from sdom_a */
+ sdom_b->search_bases = sdom_a->search_bases;
+ sdom_b->user_search_bases = sdom_a->user_search_bases;
+ sdom_b->group_search_bases = sdom_a->group_search_bases;
+ sdom_b->netgroup_search_bases = sdom_a->netgroup_search_bases;
+ sdom_b->sudo_search_bases = sdom_a->sudo_search_bases;
+ sdom_b->service_search_bases = sdom_a->service_search_bases;
+ sdom_b->autofs_search_bases = sdom_a->autofs_search_bases;
+ }
+ }
+
return EOK;
}
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
