URL: https://github.com/SSSD/sssd/pull/628
Author: fidencio
Title: #628: providers: drop ldap_{init,}groups_use_matching_rule_in_chain
support
Action: opened
PR body:
"""
Resolves:
https://pagure.io/SSSD/sssd/issue/3492
Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/628/head:pr628
git checkout pr628
From d4c5e62d0d5725c666ab7fc5ac124579dc2b0a53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Tue, 7 Aug 2018 11:04:53 +0200
Subject: [PATCH] providers: drop ldap_{init,}groups_use_matching_rule_in_chain
support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves:
https://pagure.io/SSSD/sssd/issue/3492
Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
---
src/config/SSSDConfig/__init__.py.in | 2 -
src/config/cfg_rules.ini | 2 -
src/config/etc/sssd.api.d/sssd-ad.conf | 2 -
src/config/etc/sssd.api.d/sssd-ipa.conf | 2 -
src/config/etc/sssd.api.d/sssd-ldap.conf | 2 -
src/man/sssd-ldap.5.xml | 59 ----
src/providers/ad/ad_opts.c | 2 -
src/providers/ipa/ipa_opts.c | 2 -
src/providers/ldap/ldap_opts.c | 2 -
src/providers/ldap/sdap.h | 2 -
src/providers/ldap/sdap_async.c | 84 +-----
src/providers/ldap/sdap_async.h | 15 -
src/providers/ldap/sdap_async_groups.c | 141 +--------
src/providers/ldap/sdap_async_initgroups.c | 18 --
src/providers/ldap/sdap_async_initgroups_ad.c | 277 ------------------
15 files changed, 7 insertions(+), 605 deletions(-)
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 32b74e4c76..1210f0914e 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -405,8 +405,6 @@ option_strings = {
'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'),
'ldap_idmap_helper_table_size' : _('Number of secondary slices'),
- 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'),
- 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'),
'ldap_use_tokengroups' : _('Whether to use Token-Groups'),
'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'),
'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 5513227803..7016243675 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -611,7 +611,6 @@ option = ldap_group_objectsid
option = ldap_group_search_base
option = ldap_group_search_filter
option = ldap_group_search_scope
-option = ldap_groups_use_matching_rule_in_chain
option = ldap_group_type
option = ldap_group_uuid
option = ldap_idmap_autorid_compat
@@ -623,7 +622,6 @@ option = ldap_idmap_range_max
option = ldap_idmap_range_min
option = ldap_idmap_range_size
option = ldap_id_use_start_tls
-option = ldap_initgroups_use_matching_rule_in_chain
option = ldap_krb5_init_creds
option = ldap_krb5_keytab
option = ldap_krb5_ticket_lifetime
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 8d97a416c8..fad5d30941 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -129,8 +129,6 @@ ldap_idmap_autorid_compat = bool, None, false
ldap_idmap_default_domain = str, None, false
ldap_idmap_default_domain_sid = str, None, false
ldap_idmap_helper_table_size = int, None, false
-ldap_groups_use_matching_rule_in_chain = bool, None, false
-ldap_initgroups_use_matching_rule_in_chain = bool, None, false
ldap_use_tokengroups = bool, None, false
ldap_rfc2307_fallback_to_local_users = bool, None, false
ldap_pwdlockout_dn = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index ab9634c7a6..9c7f395450 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -135,8 +135,6 @@ ldap_idmap_autorid_compat = bool, None, false
ldap_idmap_default_domain = str, None, false
ldap_idmap_default_domain_sid = str, None, false
ldap_idmap_helper_table_size = int, None, false
-ldap_groups_use_matching_rule_in_chain = bool, None, false
-ldap_initgroups_use_matching_rule_in_chain = bool, None, false
ldap_use_tokengroups = bool, None, false
ldap_rfc2307_fallback_to_local_users = bool, None, false
ipa_server_mode = bool, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 65b6407f68..655445d2ac 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -122,8 +122,6 @@ ldap_idmap_autorid_compat = bool, None, false
ldap_idmap_default_domain = str, None, false
ldap_idmap_default_domain_sid = str, None, false
ldap_idmap_helper_table_size = int, None, false
-ldap_groups_use_matching_rule_in_chain = bool, None, false
-ldap_initgroups_use_matching_rule_in_chain = bool, None, false
ldap_use_tokengroups = bool, None, false
ldap_rfc2307_fallback_to_local_users = bool, None, false
ldap_min_id = int, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index 3145f07303..7b4bc74b81 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1057,65 +1057,6 @@
</listitem>
</varlistentry>
- <varlistentry>
- <term>ldap_groups_use_matching_rule_in_chain</term>
- <listitem>
- <para>
- This option tells SSSD to take advantage of an
- Active Directory-specific feature which may speed
- up group lookup operations on deployments with
- complex or deep nested groups.
- </para>
- <para>
- In most common cases, it is best to leave this
- option disabled. It generally only provides a
- performance increase on very complex nestings.
- </para>
- <para>
- If this option is enabled, SSSD will use it if it
- detects that the server supports it during initial
- connection. So "True" here essentially means
- "auto-detect".
- </para>
- <para>
- Note: This feature is currently known to work only
- with Active Directory 2008 R1 and later. See
- <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx";>
- MSDN(TM) documentation</ulink> for more details.
- </para>
- <para>
- Default: False
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>ldap_initgroups_use_matching_rule_in_chain</term>
- <listitem>
- <para>
- This option tells SSSD to take advantage of an
- Active Directory-specific feature which might speed
- up initgroups operations (most notably when
- dealing with complex or deep nested groups).
- </para>
- <para>
- If this option is enabled, SSSD will use it if it
- detects that the server supports it during initial
- connection. So "True" here essentially means
- "auto-detect".
- </para>
- <para>
- Note: This feature is currently known to work only
- with Active Directory 2008 R1 and later. See
- <ulink url="http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx";>
- MSDN(TM) documentation</ulink> for more details.
- </para>
- <para>
- Default: False
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term>ldap_use_tokengroups</term>
<listitem>
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
index afcfa3773a..72321a5084 100644
--- a/src/providers/ad/ad_opts.c
+++ b/src/providers/ad/ad_opts.c
@@ -140,8 +140,6 @@ struct dp_option ad_def_ldap_opts[] = {
{ "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
- { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
- { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
{ "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 485ad4fe3f..11fc9531da 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -152,8 +152,6 @@ struct dp_option ipa_def_ldap_opts[] = {
{ "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
- { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
- { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE},
{ "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c
index 8b82e92eed..d1b2806295 100644
--- a/src/providers/ldap/ldap_opts.c
+++ b/src/providers/ldap/ldap_opts.c
@@ -113,8 +113,6 @@ struct dp_option default_basic_opts[] = {
{ "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER },
- { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
- { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE},
{ "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 31c25c32f0..b1ea3f0b57 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -227,8 +227,6 @@ enum sdap_basic_opt {
SDAP_IDMAP_DEFAULT_DOMAIN,
SDAP_IDMAP_DEFAULT_DOMAIN_SID,
SDAP_IDMAP_EXTRA_SLICE_INIT,
- SDAP_AD_MATCHING_RULE_GROUPS,
- SDAP_AD_MATCHING_RULE_INITGROUPS,
SDAP_AD_USE_TOKENGROUPS,
SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS,
SDAP_DISABLE_RANGE_RETRIEVAL,
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 8fc832ae57..f9115c7965 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -847,7 +847,6 @@ struct sdap_get_rootdse_state {
};
static void sdap_get_rootdse_done(struct tevent_req *subreq);
-static void sdap_get_matching_rule_done(struct tevent_req *subreq);
struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx,
struct tevent_context *ev,
@@ -899,8 +898,6 @@ struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx,
/* This is not a real attribute, it's just there to avoid
* actually pulling real data down, to save bandwidth
*/
-#define SDAP_MATCHING_RULE_TEST_ATTR "sssmatchingruletest"
-
static void sdap_get_rootdse_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(subreq,
@@ -910,8 +907,6 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
struct sysdb_attrs **results;
size_t num_results;
int ret;
- const char *filter;
- const char *attrs[] = { SDAP_MATCHING_RULE_TEST_ATTR, NULL };
ret = sdap_get_generic_recv(subreq, state, &num_results, &results);
talloc_zfree(subreq);
@@ -940,81 +935,14 @@ static void sdap_get_rootdse_done(struct tevent_req *subreq)
DEBUG(SSSDBG_TRACE_INTERNAL, "Got rootdse\n");
- /* Auto-detect the LDAP matching rule if requested */
- if ((!dp_opt_get_bool(state->opts->basic,
- SDAP_AD_MATCHING_RULE_INITGROUPS))
- && !dp_opt_get_bool(state->opts->basic,
- SDAP_AD_MATCHING_RULE_GROUPS)) {
- /* This feature is disabled for both groups
- * and initgroups. Skip the auto-detection
- * lookup.
- */
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Skipping auto-detection of match rule\n");
- tevent_req_done(req);
- return;
- }
-
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Auto-detecting support for match rule\n");
-
- /* Create a filter using the matching rule. It need not point
- * at any valid data. We're only going to be looking for the
- * error code.
- */
- filter = "("SDAP_MATCHING_RULE_TEST_ATTR":"
- SDAP_MATCHING_RULE_IN_CHAIN":=)";
-
- /* Perform a trivial query with the matching rule in play.
- * If it returns success, we know it is available. If it
- * returns EIO, we know it isn't.
+ /* This feature is disabled for both groups
+ * and initgroups. Skip the auto-detection
+ * lookup.
*/
- subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
- "", LDAP_SCOPE_BASE, filter, attrs, NULL,
- 0, dp_opt_get_int(state->opts->basic,
- SDAP_SEARCH_TIMEOUT),
- false);
- if (!subreq) {
- tevent_req_error(req, ENOMEM);
- return;
- }
- tevent_req_set_callback(subreq, sdap_get_matching_rule_done, req);
-}
-
-static void sdap_get_matching_rule_done(struct tevent_req *subreq)
-{
- errno_t ret;
- struct tevent_req *req = tevent_req_callback_data(subreq,
- struct tevent_req);
- struct sdap_get_rootdse_state *state = tevent_req_data(req,
- struct sdap_get_rootdse_state);
- size_t num_results;
- struct sysdb_attrs **results;
-
- ret = sdap_get_generic_recv(subreq, state, &num_results, &results);
- talloc_zfree(subreq);
- if (ret == EOK) {
- /* The search succeeded */
- state->opts->support_matching_rule = true;
- } else if (ret == EIO) {
- /* The search failed. Disable support for
- * matching rule lookups.
- */
- state->opts->support_matching_rule = false;
- } else {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Unexpected error while testing for matching rule support\n");
- tevent_req_error(req, ret);
- return;
- }
-
- DEBUG(SSSDBG_CONF_SETTINGS,
- "LDAP server %s the matching rule extension\n",
- state->opts->support_matching_rule
- ? "supports"
- : "does not support");
-
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Skipping auto-detection of match rule\n");
tevent_req_done(req);
+ return;
}
int sdap_get_rootdse_recv(struct tevent_req *req,
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h
index 6d09aca7a3..2cedacf1d5 100644
--- a/src/providers/ldap/sdap_async.h
+++ b/src/providers/ldap/sdap_async.h
@@ -367,21 +367,6 @@ sdap_get_ad_match_rule_members_recv(struct tevent_req *req,
size_t *num_users,
struct sysdb_attrs ***users);
-struct tevent_req *
-sdap_get_ad_match_rule_initgroups_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct sdap_options *opts,
- struct sysdb_ctx *sysdb,
- struct sss_domain_info *domain,
- struct sdap_handle *sh,
- const char *name,
- const char *orig_dn,
- int timeout);
-
-errno_t
-sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req);
-
-
struct tevent_req *
sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 77acded7a4..e92a1b9e96 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -1987,7 +1987,6 @@ static void sdap_nested_done(struct tevent_req *req);
static void sdap_search_group_copy_batch(struct sdap_get_groups_state *state,
struct sysdb_attrs **groups,
size_t count);
-static void sdap_ad_match_rule_members_process(struct tevent_req *subreq);
static void sdap_get_groups_process(struct tevent_req *subreq)
{
@@ -2092,8 +2091,7 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
*/
if (state->lookup_type == SDAP_LOOKUP_SINGLE) {
if ((state->opts->schema_type != SDAP_SCHEMA_RFC2307)
- && (dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL) != 0)
- && !dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_GROUPS)) {
+ && (dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL) != 0)) {
subreq = sdap_nested_group_send(state, state->ev, state->sdom,
state->opts, state->sh,
state->groups[0]);
@@ -2110,26 +2108,6 @@ static void sdap_get_groups_process(struct tevent_req *subreq)
/* We have all of the groups. Save them to the sysdb */
state->check_count = state->count;
- /* If we're using LDAP_MATCHING_RULE_IN_CHAIN, start a subreq to
- * retrieve the members so we can save them in a single step.
- */
- if (state->lookup_type == SDAP_LOOKUP_SINGLE
- && (state->opts->schema_type != SDAP_SCHEMA_RFC2307)
- && state->opts->support_matching_rule
- && dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_GROUPS)) {
- subreq = sdap_get_ad_match_rule_members_send(
- state, state->ev, state->opts, state->sh,
- state->groups[0], state->timeout);
- if (!subreq) {
- tevent_req_error(req, ENOMEM);
- return;
- }
- tevent_req_set_callback(subreq,
- sdap_ad_match_rule_members_process,
- req);
- return;
- }
-
ret = sysdb_transaction_start(state->sysdb);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start transaction\n");
@@ -2250,123 +2228,6 @@ static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx,
int num_users,
hash_table_t **_ghosts);
-static void sdap_ad_match_rule_members_process(struct tevent_req *subreq)
-{
- errno_t ret;
- TALLOC_CTX *tmp_ctx = NULL;
- struct tevent_req *req =
- tevent_req_callback_data(subreq, struct tevent_req);
- struct sdap_get_groups_state *state = tevent_req_data(req,
- struct sdap_get_groups_state);
- struct sysdb_attrs **users;
- struct sysdb_attrs *group = state->groups[0];
- struct ldb_message_element *member_el;
- struct ldb_message_element *orig_dn_el;
- size_t count = 0;
- size_t i;
- hash_table_t *ghosts;
-
- ret = sdap_get_ad_match_rule_members_recv(subreq, state,
- &count, &users);
- talloc_zfree(subreq);
- if (ret != EOK && ret != ENOENT) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not retrieve members using AD match rule. [%s]\n",
- strerror(ret));
-
- goto done;
- }
-
- /* Save the group and users to the cache */
-
- /* Truncate the member attribute of the group.
- * It will be repopulated below, and it may currently
- * be incomplete anyway, thanks to the range extension.
- */
-
- ret = sysdb_attrs_get_el(group, SYSDB_MEMBER, &member_el);
- if (ret != EOK) {
- goto done;
- }
-
- member_el->num_values = 0;
- talloc_zfree(member_el->values);
-
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) {
- ret = ENOMEM;
- goto done;
- }
-
- /* Figure out which users are already cached in the sysdb and
- * which ones need to be added as ghost users.
- */
- ret = sdap_nested_group_populate_users(tmp_ctx, state->sysdb, state->dom,
- state->opts, users, count,
- &ghosts);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not determine which users are ghosts: [%s]\n",
- strerror(ret));
- goto done;
- }
-
- /* Add any entries that aren't in the ghost hash table to the
- * member element of the group. This will get converted to a
- * native sysdb representation later in sdap_save_groups().
- */
-
- /* Add all of the users as members
- */
- member_el->values = talloc_zero_array(tmp_ctx, struct ldb_val, count);
- if (!member_el->values) {
- ret = ENOMEM;
- goto done;
- }
-
- /* Copy the origDN values of the users into the member element */
- for (i = 0; i < count; i++) {
- ret = sysdb_attrs_get_el(users[i], SYSDB_ORIG_DN,
- &orig_dn_el);
- if (ret != EOK) {
- /* This should never happen. Every entry should have
- * an originalDN.
- */
- DEBUG(SSSDBG_MINOR_FAILURE,
- "BUG: Missing originalDN for user?\n");
- goto done;
- }
-
- /* These values will have the same lifespan, so instead
- * of copying them, just point at the data.
- */
- member_el->values[i].data = orig_dn_el->values[0].data;
- member_el->values[i].length = orig_dn_el->values[0].length;
- }
- member_el->num_values = count;
-
- /* Now save the group, users and ghosts to the cache */
- ret = sdap_save_groups(tmp_ctx, state->sysdb, state->dom,
- state->opts, state->groups, 1,
- false, ghosts, true, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not save group to the cache: [%s]\n",
- strerror(ret));
- goto done;
- }
-
- ret = EOK;
-
-done:
- talloc_free(tmp_ctx);
-
- if (ret == EOK) {
- tevent_req_done(req);
- } else {
- tevent_req_error(req, ret);
- }
-}
int sdap_get_groups_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx, char **usn_value)
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index cbe8a4cfe6..3554533614 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -3089,19 +3089,6 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
cname, orig_dn,
state->timeout,
state->use_id_mapping);
- } else if (state->opts->support_matching_rule
- && dp_opt_get_bool(state->opts->basic,
- SDAP_AD_MATCHING_RULE_INITGROUPS)) {
- /* Take advantage of AD's extensibleMatch filter to look up
- * all parent groups in a single request.
- */
- subreq = sdap_get_ad_match_rule_initgroups_send(state, state->ev,
- state->opts,
- state->sysdb,
- state->dom,
- state->sh,
- cname, orig_dn,
- state->timeout);
} else {
subreq = sdap_initgr_rfc2307bis_send(
state, state->ev, state->opts,
@@ -3277,11 +3264,6 @@ static void sdap_get_initgr_done(struct tevent_req *subreq)
&& dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) {
ret = sdap_ad_tokengroups_initgroups_recv(subreq);
- }
- else if (state->opts->support_matching_rule
- && dp_opt_get_bool(state->opts->basic,
- SDAP_AD_MATCHING_RULE_INITGROUPS)) {
- ret = sdap_get_ad_match_rule_initgroups_recv(subreq);
} else {
ret = sdap_initgr_rfc2307bis_recv(subreq);
}
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 22209eac0e..107ed8683b 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -29,283 +29,6 @@
#include "providers/ad/ad_common.h"
#include "lib/idmap/sss_idmap.h"
-struct sdap_ad_match_rule_initgr_state {
- struct tevent_context *ev;
- struct sdap_options *opts;
- struct sysdb_ctx *sysdb;
- struct sss_domain_info *domain;
- struct sdap_handle *sh;
- const char *name;
- const char *orig_dn;
- const char **attrs;
- int timeout;
- const char *base_filter;
- char *filter;
-
- size_t count;
- struct sysdb_attrs **groups;
-
- size_t base_iter;
- struct sdap_search_base **search_bases;
-};
-
-static errno_t
-sdap_get_ad_match_rule_initgroups_next_base(struct tevent_req *req);
-
-static void
-sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq);
-
-struct tevent_req *
-sdap_get_ad_match_rule_initgroups_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct sdap_options *opts,
- struct sysdb_ctx *sysdb,
- struct sss_domain_info *domain,
- struct sdap_handle *sh,
- const char *name,
- const char *orig_dn,
- int timeout)
-{
- errno_t ret;
- struct tevent_req *req;
- struct sdap_ad_match_rule_initgr_state *state;
- const char **filter_members;
- char *sanitized_user_dn;
- char *oc_list;
-
- req = tevent_req_create(mem_ctx, &state,
- struct sdap_ad_match_rule_initgr_state);
- if (!req) return NULL;
-
- state->ev = ev;
- state->opts = opts;
- state->sysdb = sysdb;
- state->domain = domain;
- state->sh = sh;
- state->name = name;
- state->orig_dn = orig_dn;
- state->base_iter = 0;
- state->search_bases = opts->sdom->group_search_bases;
-
- /* Request all of the group attributes that we know
- * about, except for 'member' because that wastes a
- * lot of bandwidth here and we only really
- * care about a single member (the one we already
- * have).
- */
- filter_members = talloc_array(state, const char *, 2);
- if (!filter_members) {
- ret = ENOMEM;
- goto immediate;
- }
- filter_members[0] = opts->group_map[SDAP_AT_GROUP_MEMBER].name;
- filter_members[1] = NULL;
-
- ret = build_attrs_from_map(state, opts->group_map,
- SDAP_OPTS_GROUP,
- filter_members,
- &state->attrs, NULL);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not build attribute map: [%s]\n",
- strerror(ret));
- goto immediate;
- }
-
- /* Sanitize the user DN in case we have special characters in DN */
- ret = sss_filter_sanitize(state, state->orig_dn, &sanitized_user_dn);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not sanitize user DN: %s\n",
- strerror(ret));
- goto immediate;
- }
-
- /* Craft a special filter according to
- * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx
- */
- oc_list = sdap_make_oc_list(state, state->opts->group_map);
- if (oc_list == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n");
- ret = ENOMEM;
- goto immediate;
- }
-
- state->base_filter =
- talloc_asprintf(state,
- "(&(%s:%s:=%s)(%s))",
- state->opts->group_map[SDAP_AT_GROUP_MEMBER].name,
- SDAP_MATCHING_RULE_IN_CHAIN,
- sanitized_user_dn, oc_list);
- talloc_zfree(sanitized_user_dn);
- if (!state->base_filter) {
- ret = ENOMEM;
- goto immediate;
- }
-
- /* Start the loop through the search bases to get all of the
- * groups to which this user belongs.
- */
- ret = sdap_get_ad_match_rule_initgroups_next_base(req);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "sdap_get_ad_match_rule_members_next_base failed: [%s]\n",
- strerror(ret));
- goto immediate;
- }
-
- return req;
-
-immediate:
- tevent_req_error(req, ret);
- tevent_req_post(req, ev);
- return req;
-}
-
-static errno_t
-sdap_get_ad_match_rule_initgroups_next_base(struct tevent_req *req)
-{
- struct tevent_req *subreq;
- struct sdap_ad_match_rule_initgr_state *state;
-
- state = tevent_req_data(req, struct sdap_ad_match_rule_initgr_state);
-
- talloc_zfree(state->filter);
- state->filter = sdap_combine_filters(state, state->base_filter,
- state->search_bases[state->base_iter]->filter);
- if (!state->filter) {
- return ENOMEM;
- }
-
- DEBUG(SSSDBG_TRACE_FUNC,
- "Searching for groups with base [%s]\n",
- state->search_bases[state->base_iter]->basedn);
-
- subreq = sdap_get_generic_send(
- state, state->ev, state->opts, state->sh,
- state->search_bases[state->base_iter]->basedn,
- state->search_bases[state->base_iter]->scope,
- state->filter, state->attrs,
- state->opts->group_map, SDAP_OPTS_GROUP,
- state->timeout, true);
- if (!subreq) {
- return ENOMEM;
- }
-
- tevent_req_set_callback(subreq,
- sdap_get_ad_match_rule_initgroups_step,
- req);
-
- return EOK;
-}
-
-static void
-sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq)
-{
- errno_t ret;
- struct tevent_req *req =
- tevent_req_callback_data(subreq, struct tevent_req);
- struct sdap_ad_match_rule_initgr_state *state =
- tevent_req_data(req, struct sdap_ad_match_rule_initgr_state);
- size_t count, i;
- struct sysdb_attrs **groups;
- char **sysdb_grouplist;
-
- ret = sdap_get_generic_recv(subreq, state, &count, &groups);
- talloc_zfree(subreq);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "LDAP search failed: [%s]\n", sss_strerror(ret));
- goto error;
- }
-
- DEBUG(SSSDBG_TRACE_LIBS,
- "Search for users returned %zu results\n", count);
-
- /* Add this batch of groups to the list */
- if (count > 0) {
- state->groups = talloc_realloc(state, state->groups,
- struct sysdb_attrs *,
- state->count + count + 1);
- if (!state->groups) {
- tevent_req_error(req, ENOMEM);
- return;
- }
-
- /* Copy the new groups into the list */
- for (i = 0; i < count; i++) {
- state->groups[state->count + i] =
- talloc_steal(state->groups, groups[i]);
- }
-
- state->count += count;
- state->groups[state->count] = NULL;
- }
-
- /* Continue checking other search bases */
- state->base_iter++;
- if (state->search_bases[state->base_iter]) {
- /* There are more search bases to try */
- ret = sdap_get_ad_match_rule_initgroups_next_base(req);
- if (ret != EOK) {
- goto error;
- }
- return;
- }
-
- /* No more search bases. Save the groups. */
-
- if (state->count == 0) {
- DEBUG(SSSDBG_TRACE_LIBS,
- "User is not a member of any group in the search bases\n");
- }
-
- /* Get the current sysdb group list for this user
- * so we can update it.
- */
- ret = get_sysdb_grouplist(state, state->sysdb, state->domain,
- state->name, &sysdb_grouplist);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not get the list of groups for [%s] in the sysdb: "
- "[%s]\n",
- state->name, strerror(ret));
- goto error;
- }
-
- /* The extensibleMatch search rule eliminates the need for
- * nested group searches, so we can just update the
- * memberships now.
- */
- ret = sdap_initgr_common_store(state->sysdb,
- state->domain,
- state->opts,
- state->name,
- SYSDB_MEMBER_USER,
- sysdb_grouplist,
- state->groups,
- state->count);
- if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Could not store groups for user [%s]: [%s]\n",
- state->name, strerror(ret));
- goto error;
- }
-
- tevent_req_done(req);
- return;
-
-error:
- tevent_req_error(req, ret);
-}
-
-errno_t
-sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req)
-{
- TEVENT_REQ_RETURN_ON_ERROR(req);
- return EOK;
-}
-
struct sdap_get_ad_tokengroups_state {
struct tevent_context *ev;
struct sss_idmap_ctx *idmap_ctx;
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/VN5VRXXHVEEH4VL2WXK6VUWKORMKOSDY/
