URL: https://github.com/SSSD/sssd/pull/628 Author: fidencio Title: #628: providers: drop ldap_{init,}groups_use_matching_rule_in_chain support Action: opened
PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3492 Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/628/head:pr628 git checkout pr628
From d4c5e62d0d5725c666ab7fc5ac124579dc2b0a53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Tue, 7 Aug 2018 11:04:53 +0200 Subject: [PATCH] providers: drop ldap_{init,}groups_use_matching_rule_in_chain support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://pagure.io/SSSD/sssd/issue/3492 Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> --- src/config/SSSDConfig/__init__.py.in | 2 - src/config/cfg_rules.ini | 2 - src/config/etc/sssd.api.d/sssd-ad.conf | 2 - src/config/etc/sssd.api.d/sssd-ipa.conf | 2 - src/config/etc/sssd.api.d/sssd-ldap.conf | 2 - src/man/sssd-ldap.5.xml | 59 ---- src/providers/ad/ad_opts.c | 2 - src/providers/ipa/ipa_opts.c | 2 - src/providers/ldap/ldap_opts.c | 2 - src/providers/ldap/sdap.h | 2 - src/providers/ldap/sdap_async.c | 84 +----- src/providers/ldap/sdap_async.h | 15 - src/providers/ldap/sdap_async_groups.c | 141 +-------- src/providers/ldap/sdap_async_initgroups.c | 18 -- src/providers/ldap/sdap_async_initgroups_ad.c | 277 ------------------ 15 files changed, 7 insertions(+), 605 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 32b74e4c76..1210f0914e 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -405,8 +405,6 @@ option_strings = { 'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'), 'ldap_idmap_helper_table_size' : _('Number of secondary slices'), - 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'), - 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'), 'ldap_use_tokengroups' : _('Whether to use Token-Groups'), 'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'), 'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 5513227803..7016243675 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -611,7 +611,6 @@ option = ldap_group_objectsid option = ldap_group_search_base option = ldap_group_search_filter option = ldap_group_search_scope -option = ldap_groups_use_matching_rule_in_chain option = ldap_group_type option = ldap_group_uuid option = ldap_idmap_autorid_compat @@ -623,7 +622,6 @@ option = ldap_idmap_range_max option = ldap_idmap_range_min option = ldap_idmap_range_size option = ldap_id_use_start_tls -option = ldap_initgroups_use_matching_rule_in_chain option = ldap_krb5_init_creds option = ldap_krb5_keytab option = ldap_krb5_ticket_lifetime diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 8d97a416c8..fad5d30941 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -129,8 +129,6 @@ ldap_idmap_autorid_compat = bool, None, false ldap_idmap_default_domain = str, None, false ldap_idmap_default_domain_sid = str, None, false ldap_idmap_helper_table_size = int, None, false -ldap_groups_use_matching_rule_in_chain = bool, None, false -ldap_initgroups_use_matching_rule_in_chain = bool, None, false ldap_use_tokengroups = bool, None, false ldap_rfc2307_fallback_to_local_users = bool, None, false ldap_pwdlockout_dn = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index ab9634c7a6..9c7f395450 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -135,8 +135,6 @@ ldap_idmap_autorid_compat = bool, None, false ldap_idmap_default_domain = str, None, false ldap_idmap_default_domain_sid = str, None, false ldap_idmap_helper_table_size = int, None, false -ldap_groups_use_matching_rule_in_chain = bool, None, false -ldap_initgroups_use_matching_rule_in_chain = bool, None, false ldap_use_tokengroups = bool, None, false ldap_rfc2307_fallback_to_local_users = bool, None, false ipa_server_mode = bool, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index 65b6407f68..655445d2ac 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -122,8 +122,6 @@ ldap_idmap_autorid_compat = bool, None, false ldap_idmap_default_domain = str, None, false ldap_idmap_default_domain_sid = str, None, false ldap_idmap_helper_table_size = int, None, false -ldap_groups_use_matching_rule_in_chain = bool, None, false -ldap_initgroups_use_matching_rule_in_chain = bool, None, false ldap_use_tokengroups = bool, None, false ldap_rfc2307_fallback_to_local_users = bool, None, false ldap_min_id = int, None, false diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index 3145f07303..7b4bc74b81 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1057,65 +1057,6 @@ </listitem> </varlistentry> - <varlistentry> - <term>ldap_groups_use_matching_rule_in_chain</term> - <listitem> - <para> - This option tells SSSD to take advantage of an - Active Directory-specific feature which may speed - up group lookup operations on deployments with - complex or deep nested groups. - </para> - <para> - In most common cases, it is best to leave this - option disabled. It generally only provides a - performance increase on very complex nestings. - </para> - <para> - If this option is enabled, SSSD will use it if it - detects that the server supports it during initial - connection. So "True" here essentially means - "auto-detect". - </para> - <para> - Note: This feature is currently known to work only - with Active Directory 2008 R1 and later. See - <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx"> - MSDN(TM) documentation</ulink> for more details. - </para> - <para> - Default: False - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>ldap_initgroups_use_matching_rule_in_chain</term> - <listitem> - <para> - This option tells SSSD to take advantage of an - Active Directory-specific feature which might speed - up initgroups operations (most notably when - dealing with complex or deep nested groups). - </para> - <para> - If this option is enabled, SSSD will use it if it - detects that the server supports it during initial - connection. So "True" here essentially means - "auto-detect". - </para> - <para> - Note: This feature is currently known to work only - with Active Directory 2008 R1 and later. See - <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx"> - MSDN(TM) documentation</ulink> for more details. - </para> - <para> - Default: False - </para> - </listitem> - </varlistentry> - <varlistentry> <term>ldap_use_tokengroups</term> <listitem> diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c index afcfa3773a..72321a5084 100644 --- a/src/providers/ad/ad_opts.c +++ b/src/providers/ad/ad_opts.c @@ -140,8 +140,6 @@ struct dp_option ad_def_ldap_opts[] = { { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE}, { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c index 485ad4fe3f..11fc9531da 100644 --- a/src/providers/ipa/ipa_opts.c +++ b/src/providers/ipa/ipa_opts.c @@ -152,8 +152,6 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE}, { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c index 8b82e92eed..d1b2806295 100644 --- a/src/providers/ldap/ldap_opts.c +++ b/src/providers/ldap/ldap_opts.c @@ -113,8 +113,6 @@ struct dp_option default_basic_opts[] = { { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, - { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE}, { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 31c25c32f0..b1ea3f0b57 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -227,8 +227,6 @@ enum sdap_basic_opt { SDAP_IDMAP_DEFAULT_DOMAIN, SDAP_IDMAP_DEFAULT_DOMAIN_SID, SDAP_IDMAP_EXTRA_SLICE_INIT, - SDAP_AD_MATCHING_RULE_GROUPS, - SDAP_AD_MATCHING_RULE_INITGROUPS, SDAP_AD_USE_TOKENGROUPS, SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS, SDAP_DISABLE_RANGE_RETRIEVAL, diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 8fc832ae57..f9115c7965 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -847,7 +847,6 @@ struct sdap_get_rootdse_state { }; static void sdap_get_rootdse_done(struct tevent_req *subreq); -static void sdap_get_matching_rule_done(struct tevent_req *subreq); struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx, struct tevent_context *ev, @@ -899,8 +898,6 @@ struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx, /* This is not a real attribute, it's just there to avoid * actually pulling real data down, to save bandwidth */ -#define SDAP_MATCHING_RULE_TEST_ATTR "sssmatchingruletest" - static void sdap_get_rootdse_done(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data(subreq, @@ -910,8 +907,6 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq) struct sysdb_attrs **results; size_t num_results; int ret; - const char *filter; - const char *attrs[] = { SDAP_MATCHING_RULE_TEST_ATTR, NULL }; ret = sdap_get_generic_recv(subreq, state, &num_results, &results); talloc_zfree(subreq); @@ -940,81 +935,14 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_INTERNAL, "Got rootdse\n"); - /* Auto-detect the LDAP matching rule if requested */ - if ((!dp_opt_get_bool(state->opts->basic, - SDAP_AD_MATCHING_RULE_INITGROUPS)) - && !dp_opt_get_bool(state->opts->basic, - SDAP_AD_MATCHING_RULE_GROUPS)) { - /* This feature is disabled for both groups - * and initgroups. Skip the auto-detection - * lookup. - */ - DEBUG(SSSDBG_TRACE_INTERNAL, - "Skipping auto-detection of match rule\n"); - tevent_req_done(req); - return; - } - - DEBUG(SSSDBG_TRACE_INTERNAL, - "Auto-detecting support for match rule\n"); - - /* Create a filter using the matching rule. It need not point - * at any valid data. We're only going to be looking for the - * error code. - */ - filter = "("SDAP_MATCHING_RULE_TEST_ATTR":" - SDAP_MATCHING_RULE_IN_CHAIN":=)"; - - /* Perform a trivial query with the matching rule in play. - * If it returns success, we know it is available. If it - * returns EIO, we know it isn't. + /* This feature is disabled for both groups + * and initgroups. Skip the auto-detection + * lookup. */ - subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, - "", LDAP_SCOPE_BASE, filter, attrs, NULL, - 0, dp_opt_get_int(state->opts->basic, - SDAP_SEARCH_TIMEOUT), - false); - if (!subreq) { - tevent_req_error(req, ENOMEM); - return; - } - tevent_req_set_callback(subreq, sdap_get_matching_rule_done, req); -} - -static void sdap_get_matching_rule_done(struct tevent_req *subreq) -{ - errno_t ret; - struct tevent_req *req = tevent_req_callback_data(subreq, - struct tevent_req); - struct sdap_get_rootdse_state *state = tevent_req_data(req, - struct sdap_get_rootdse_state); - size_t num_results; - struct sysdb_attrs **results; - - ret = sdap_get_generic_recv(subreq, state, &num_results, &results); - talloc_zfree(subreq); - if (ret == EOK) { - /* The search succeeded */ - state->opts->support_matching_rule = true; - } else if (ret == EIO) { - /* The search failed. Disable support for - * matching rule lookups. - */ - state->opts->support_matching_rule = false; - } else { - DEBUG(SSSDBG_MINOR_FAILURE, - "Unexpected error while testing for matching rule support\n"); - tevent_req_error(req, ret); - return; - } - - DEBUG(SSSDBG_CONF_SETTINGS, - "LDAP server %s the matching rule extension\n", - state->opts->support_matching_rule - ? "supports" - : "does not support"); - + DEBUG(SSSDBG_TRACE_INTERNAL, + "Skipping auto-detection of match rule\n"); tevent_req_done(req); + return; } int sdap_get_rootdse_recv(struct tevent_req *req, diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 6d09aca7a3..2cedacf1d5 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -367,21 +367,6 @@ sdap_get_ad_match_rule_members_recv(struct tevent_req *req, size_t *num_users, struct sysdb_attrs ***users); -struct tevent_req * -sdap_get_ad_match_rule_initgroups_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sdap_options *opts, - struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, - struct sdap_handle *sh, - const char *name, - const char *orig_dn, - int timeout); - -errno_t -sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req); - - struct tevent_req * sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 77acded7a4..e92a1b9e96 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1987,7 +1987,6 @@ static void sdap_nested_done(struct tevent_req *req); static void sdap_search_group_copy_batch(struct sdap_get_groups_state *state, struct sysdb_attrs **groups, size_t count); -static void sdap_ad_match_rule_members_process(struct tevent_req *subreq); static void sdap_get_groups_process(struct tevent_req *subreq) { @@ -2092,8 +2091,7 @@ static void sdap_get_groups_process(struct tevent_req *subreq) */ if (state->lookup_type == SDAP_LOOKUP_SINGLE) { if ((state->opts->schema_type != SDAP_SCHEMA_RFC2307) - && (dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL) != 0) - && !dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_GROUPS)) { + && (dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL) != 0)) { subreq = sdap_nested_group_send(state, state->ev, state->sdom, state->opts, state->sh, state->groups[0]); @@ -2110,26 +2108,6 @@ static void sdap_get_groups_process(struct tevent_req *subreq) /* We have all of the groups. Save them to the sysdb */ state->check_count = state->count; - /* If we're using LDAP_MATCHING_RULE_IN_CHAIN, start a subreq to - * retrieve the members so we can save them in a single step. - */ - if (state->lookup_type == SDAP_LOOKUP_SINGLE - && (state->opts->schema_type != SDAP_SCHEMA_RFC2307) - && state->opts->support_matching_rule - && dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_GROUPS)) { - subreq = sdap_get_ad_match_rule_members_send( - state, state->ev, state->opts, state->sh, - state->groups[0], state->timeout); - if (!subreq) { - tevent_req_error(req, ENOMEM); - return; - } - tevent_req_set_callback(subreq, - sdap_ad_match_rule_members_process, - req); - return; - } - ret = sysdb_transaction_start(state->sysdb); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start transaction\n"); @@ -2250,123 +2228,6 @@ static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx, int num_users, hash_table_t **_ghosts); -static void sdap_ad_match_rule_members_process(struct tevent_req *subreq) -{ - errno_t ret; - TALLOC_CTX *tmp_ctx = NULL; - struct tevent_req *req = - tevent_req_callback_data(subreq, struct tevent_req); - struct sdap_get_groups_state *state = tevent_req_data(req, - struct sdap_get_groups_state); - struct sysdb_attrs **users; - struct sysdb_attrs *group = state->groups[0]; - struct ldb_message_element *member_el; - struct ldb_message_element *orig_dn_el; - size_t count = 0; - size_t i; - hash_table_t *ghosts; - - ret = sdap_get_ad_match_rule_members_recv(subreq, state, - &count, &users); - talloc_zfree(subreq); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Could not retrieve members using AD match rule. [%s]\n", - strerror(ret)); - - goto done; - } - - /* Save the group and users to the cache */ - - /* Truncate the member attribute of the group. - * It will be repopulated below, and it may currently - * be incomplete anyway, thanks to the range extension. - */ - - ret = sysdb_attrs_get_el(group, SYSDB_MEMBER, &member_el); - if (ret != EOK) { - goto done; - } - - member_el->num_values = 0; - talloc_zfree(member_el->values); - - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) { - ret = ENOMEM; - goto done; - } - - /* Figure out which users are already cached in the sysdb and - * which ones need to be added as ghost users. - */ - ret = sdap_nested_group_populate_users(tmp_ctx, state->sysdb, state->dom, - state->opts, users, count, - &ghosts); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Could not determine which users are ghosts: [%s]\n", - strerror(ret)); - goto done; - } - - /* Add any entries that aren't in the ghost hash table to the - * member element of the group. This will get converted to a - * native sysdb representation later in sdap_save_groups(). - */ - - /* Add all of the users as members - */ - member_el->values = talloc_zero_array(tmp_ctx, struct ldb_val, count); - if (!member_el->values) { - ret = ENOMEM; - goto done; - } - - /* Copy the origDN values of the users into the member element */ - for (i = 0; i < count; i++) { - ret = sysdb_attrs_get_el(users[i], SYSDB_ORIG_DN, - &orig_dn_el); - if (ret != EOK) { - /* This should never happen. Every entry should have - * an originalDN. - */ - DEBUG(SSSDBG_MINOR_FAILURE, - "BUG: Missing originalDN for user?\n"); - goto done; - } - - /* These values will have the same lifespan, so instead - * of copying them, just point at the data. - */ - member_el->values[i].data = orig_dn_el->values[0].data; - member_el->values[i].length = orig_dn_el->values[0].length; - } - member_el->num_values = count; - - /* Now save the group, users and ghosts to the cache */ - ret = sdap_save_groups(tmp_ctx, state->sysdb, state->dom, - state->opts, state->groups, 1, - false, ghosts, true, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Could not save group to the cache: [%s]\n", - strerror(ret)); - goto done; - } - - ret = EOK; - -done: - talloc_free(tmp_ctx); - - if (ret == EOK) { - tevent_req_done(req); - } else { - tevent_req_error(req, ret); - } -} int sdap_get_groups_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, char **usn_value) diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index cbe8a4cfe6..3554533614 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -3089,19 +3089,6 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) cname, orig_dn, state->timeout, state->use_id_mapping); - } else if (state->opts->support_matching_rule - && dp_opt_get_bool(state->opts->basic, - SDAP_AD_MATCHING_RULE_INITGROUPS)) { - /* Take advantage of AD's extensibleMatch filter to look up - * all parent groups in a single request. - */ - subreq = sdap_get_ad_match_rule_initgroups_send(state, state->ev, - state->opts, - state->sysdb, - state->dom, - state->sh, - cname, orig_dn, - state->timeout); } else { subreq = sdap_initgr_rfc2307bis_send( state, state->ev, state->opts, @@ -3277,11 +3264,6 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) && dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) { ret = sdap_ad_tokengroups_initgroups_recv(subreq); - } - else if (state->opts->support_matching_rule - && dp_opt_get_bool(state->opts->basic, - SDAP_AD_MATCHING_RULE_INITGROUPS)) { - ret = sdap_get_ad_match_rule_initgroups_recv(subreq); } else { ret = sdap_initgr_rfc2307bis_recv(subreq); } diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 22209eac0e..107ed8683b 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -29,283 +29,6 @@ #include "providers/ad/ad_common.h" #include "lib/idmap/sss_idmap.h" -struct sdap_ad_match_rule_initgr_state { - struct tevent_context *ev; - struct sdap_options *opts; - struct sysdb_ctx *sysdb; - struct sss_domain_info *domain; - struct sdap_handle *sh; - const char *name; - const char *orig_dn; - const char **attrs; - int timeout; - const char *base_filter; - char *filter; - - size_t count; - struct sysdb_attrs **groups; - - size_t base_iter; - struct sdap_search_base **search_bases; -}; - -static errno_t -sdap_get_ad_match_rule_initgroups_next_base(struct tevent_req *req); - -static void -sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq); - -struct tevent_req * -sdap_get_ad_match_rule_initgroups_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sdap_options *opts, - struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, - struct sdap_handle *sh, - const char *name, - const char *orig_dn, - int timeout) -{ - errno_t ret; - struct tevent_req *req; - struct sdap_ad_match_rule_initgr_state *state; - const char **filter_members; - char *sanitized_user_dn; - char *oc_list; - - req = tevent_req_create(mem_ctx, &state, - struct sdap_ad_match_rule_initgr_state); - if (!req) return NULL; - - state->ev = ev; - state->opts = opts; - state->sysdb = sysdb; - state->domain = domain; - state->sh = sh; - state->name = name; - state->orig_dn = orig_dn; - state->base_iter = 0; - state->search_bases = opts->sdom->group_search_bases; - - /* Request all of the group attributes that we know - * about, except for 'member' because that wastes a - * lot of bandwidth here and we only really - * care about a single member (the one we already - * have). - */ - filter_members = talloc_array(state, const char *, 2); - if (!filter_members) { - ret = ENOMEM; - goto immediate; - } - filter_members[0] = opts->group_map[SDAP_AT_GROUP_MEMBER].name; - filter_members[1] = NULL; - - ret = build_attrs_from_map(state, opts->group_map, - SDAP_OPTS_GROUP, - filter_members, - &state->attrs, NULL); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Could not build attribute map: [%s]\n", - strerror(ret)); - goto immediate; - } - - /* Sanitize the user DN in case we have special characters in DN */ - ret = sss_filter_sanitize(state, state->orig_dn, &sanitized_user_dn); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Could not sanitize user DN: %s\n", - strerror(ret)); - goto immediate; - } - - /* Craft a special filter according to - * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx - */ - oc_list = sdap_make_oc_list(state, state->opts->group_map); - if (oc_list == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); - ret = ENOMEM; - goto immediate; - } - - state->base_filter = - talloc_asprintf(state, - "(&(%s:%s:=%s)(%s))", - state->opts->group_map[SDAP_AT_GROUP_MEMBER].name, - SDAP_MATCHING_RULE_IN_CHAIN, - sanitized_user_dn, oc_list); - talloc_zfree(sanitized_user_dn); - if (!state->base_filter) { - ret = ENOMEM; - goto immediate; - } - - /* Start the loop through the search bases to get all of the - * groups to which this user belongs. - */ - ret = sdap_get_ad_match_rule_initgroups_next_base(req); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "sdap_get_ad_match_rule_members_next_base failed: [%s]\n", - strerror(ret)); - goto immediate; - } - - return req; - -immediate: - tevent_req_error(req, ret); - tevent_req_post(req, ev); - return req; -} - -static errno_t -sdap_get_ad_match_rule_initgroups_next_base(struct tevent_req *req) -{ - struct tevent_req *subreq; - struct sdap_ad_match_rule_initgr_state *state; - - state = tevent_req_data(req, struct sdap_ad_match_rule_initgr_state); - - talloc_zfree(state->filter); - state->filter = sdap_combine_filters(state, state->base_filter, - state->search_bases[state->base_iter]->filter); - if (!state->filter) { - return ENOMEM; - } - - DEBUG(SSSDBG_TRACE_FUNC, - "Searching for groups with base [%s]\n", - state->search_bases[state->base_iter]->basedn); - - subreq = sdap_get_generic_send( - state, state->ev, state->opts, state->sh, - state->search_bases[state->base_iter]->basedn, - state->search_bases[state->base_iter]->scope, - state->filter, state->attrs, - state->opts->group_map, SDAP_OPTS_GROUP, - state->timeout, true); - if (!subreq) { - return ENOMEM; - } - - tevent_req_set_callback(subreq, - sdap_get_ad_match_rule_initgroups_step, - req); - - return EOK; -} - -static void -sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq) -{ - errno_t ret; - struct tevent_req *req = - tevent_req_callback_data(subreq, struct tevent_req); - struct sdap_ad_match_rule_initgr_state *state = - tevent_req_data(req, struct sdap_ad_match_rule_initgr_state); - size_t count, i; - struct sysdb_attrs **groups; - char **sysdb_grouplist; - - ret = sdap_get_generic_recv(subreq, state, &count, &groups); - talloc_zfree(subreq); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "LDAP search failed: [%s]\n", sss_strerror(ret)); - goto error; - } - - DEBUG(SSSDBG_TRACE_LIBS, - "Search for users returned %zu results\n", count); - - /* Add this batch of groups to the list */ - if (count > 0) { - state->groups = talloc_realloc(state, state->groups, - struct sysdb_attrs *, - state->count + count + 1); - if (!state->groups) { - tevent_req_error(req, ENOMEM); - return; - } - - /* Copy the new groups into the list */ - for (i = 0; i < count; i++) { - state->groups[state->count + i] = - talloc_steal(state->groups, groups[i]); - } - - state->count += count; - state->groups[state->count] = NULL; - } - - /* Continue checking other search bases */ - state->base_iter++; - if (state->search_bases[state->base_iter]) { - /* There are more search bases to try */ - ret = sdap_get_ad_match_rule_initgroups_next_base(req); - if (ret != EOK) { - goto error; - } - return; - } - - /* No more search bases. Save the groups. */ - - if (state->count == 0) { - DEBUG(SSSDBG_TRACE_LIBS, - "User is not a member of any group in the search bases\n"); - } - - /* Get the current sysdb group list for this user - * so we can update it. - */ - ret = get_sysdb_grouplist(state, state->sysdb, state->domain, - state->name, &sysdb_grouplist); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Could not get the list of groups for [%s] in the sysdb: " - "[%s]\n", - state->name, strerror(ret)); - goto error; - } - - /* The extensibleMatch search rule eliminates the need for - * nested group searches, so we can just update the - * memberships now. - */ - ret = sdap_initgr_common_store(state->sysdb, - state->domain, - state->opts, - state->name, - SYSDB_MEMBER_USER, - sysdb_grouplist, - state->groups, - state->count); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Could not store groups for user [%s]: [%s]\n", - state->name, strerror(ret)); - goto error; - } - - tevent_req_done(req); - return; - -error: - tevent_req_error(req, ret); -} - -errno_t -sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req) -{ - TEVENT_REQ_RETURN_ON_ERROR(req); - return EOK; -} - struct sdap_get_ad_tokengroups_state { struct tevent_context *ev; struct sss_idmap_ctx *idmap_ctx;
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/VN5VRXXHVEEH4VL2WXK6VUWKORMKOSDY/