URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving Action: opened
PR body: """ The first patch is just man page update to reflect current state. I think it makes sense to be able to show subdomain names in their original casing. Patches 2-3 make it work for AD provider. Patch 4 makes it work for IPA provider. There is apparantely a bug in winbind, but there is no link the any bugzilla so I do not know if it was already fixed. The commit is four years old. This patch requires case_sensitive=Preserving to be set also on the server, otherwise it does not work. It can be enabled without the server setting but we need to make nss_cmd_getpwnam_ex (and other _ex commands) to always return case preserving name. So before I continue the work I'd like to ask @sumit-bose if we can do it like this. Resolves: https://github.com/SSSD/sssd/issues/5250 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251
From 6c670ca88cfc6099b2f3050f9c35c11f097e0c89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 20 Jul 2020 13:06:51 +0200 Subject: [PATCH 1/4] man: add auto_private_groups to subdomain_inherit This option can be inherited since 41c497b8b9e6efb9f2aa8e4cc869d465c3b954b3 --- src/man/sssd.conf.5.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 874a09c494..879452b284 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -3307,6 +3307,9 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2 ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab is not set explicitly) </para> + <para> + auto_private_groups + </para> <para> Example: <programlisting> From c5302f53449dacb0d83bfe14c3a8a48dd82dc2f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 21 Jul 2020 12:08:27 +0200 Subject: [PATCH 2/4] subdomains: allow to inherit case_sensitive=Preserving Resolves: https://github.com/SSSD/sssd/issues/5250 --- src/db/sysdb_subdomains.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index d256817a66..1f280f7c10 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -145,6 +145,14 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->ignore_group_members = parent->ignore_group_members; } + /* Inherit case_sensitive. All subdomains are always case insensitive, + * but we want to inherit case preserving which is set with + * case_sensitive=Preserving. */ + inherit_option = string_in_list(CONFDB_DOMAIN_CASE_SENSITIVE, + parent->sd_inherit, false); + dom->case_sensitive = false; + dom->case_preserve = inherit_option ? parent->case_preserve : false; + dom->trust_direction = trust_direction; /* If the parent domain explicitly limits ID ranges, the subdomain * should honour the limits as well. @@ -156,14 +164,12 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->cache_credentials_min_ff_length = parent->cache_credentials_min_ff_length; dom->cached_auth_timeout = parent->cached_auth_timeout; - dom->case_sensitive = false; dom->user_timeout = parent->user_timeout; dom->group_timeout = parent->group_timeout; dom->netgroup_timeout = parent->netgroup_timeout; dom->service_timeout = parent->service_timeout; dom->resolver_timeout = parent->resolver_timeout; dom->names = parent->names; - dom->override_homedir = parent->override_homedir; dom->fallback_homedir = parent->fallback_homedir; dom->subdomain_homedir = parent->subdomain_homedir; From 391fce84ede1d4d11953ed06f0574887e58b715c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 21 Jul 2020 12:35:20 +0200 Subject: [PATCH 3/4] subdomains: allow to set case_sensitive=Preserving in subdomain section Resolves: https://github.com/SSSD/sssd/issues/5250 --- src/db/sysdb_subdomains.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 1f280f7c10..24087cd73e 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -207,6 +207,7 @@ check_subdom_config_file(struct confdb_ctx *confdb, struct sss_domain_info *subdomain) { char *sd_conf_path; + char *case_sensitive_opt; TALLOC_CTX *tmp_ctx; errno_t ret; @@ -235,6 +236,38 @@ check_subdom_config_file(struct confdb_ctx *confdb, sd_conf_path, CONFDB_DOMAIN_FQ, subdomain->fqnames ? "TRUE" : "FALSE"); + /* case_sensitive=Preserving */ + ret = confdb_get_string(confdb, tmp_ctx, sd_conf_path, + CONFDB_DOMAIN_CASE_SENSITIVE, NULL, + &case_sensitive_opt); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get %s option for the subdomain: %s\n", + CONFDB_DOMAIN_CASE_SENSITIVE, subdomain->name); + goto done; + } + + if (case_sensitive_opt != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "%s/%s has value %s\n", sd_conf_path, + CONFDB_DOMAIN_CASE_SENSITIVE, case_sensitive_opt); + if (strcasecmp(case_sensitive_opt, "true") == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Warning: subdomain can not be set as case-sensitive.\n"); + subdomain->case_sensitive = false; + subdomain->case_preserve = false; + } else if (strcasecmp(case_sensitive_opt, "false") == 0) { + subdomain->case_sensitive = false; + subdomain->case_preserve = false; + } else if (strcasecmp(case_sensitive_opt, "preserving") == 0) { + subdomain->case_sensitive = false; + subdomain->case_preserve = true; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE); + goto done; + } + } + ret = EOK; done: talloc_free(tmp_ctx); From 3e26d2e1530f7ff24d785e7803506a1a9aa3dde6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 21 Jul 2020 12:35:50 +0200 Subject: [PATCH 4/4] subdomains: allow to inherit case_sensitive=Preserving for IPA Resolves: https://github.com/SSSD/sssd/issues/5250 --- src/providers/ipa/ipa_s2n_exop.c | 29 ++--------------------------- 1 file changed, 2 insertions(+), 27 deletions(-) diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index c3e1acb487..baf7d6a870 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -865,7 +865,6 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, enum response_types type; char *domain_name = NULL; char *name = NULL; - char *lc_name = NULL; uid_t uid; gid_t gid; struct resp_attrs *attrs = NULL; @@ -920,21 +919,9 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, goto done; } - /* Winbind is not consistent with the case of the returned user - * name. In general all names should be lower case but there are - * bug in some version of winbind which might lead to upper case - * letters in the name. To be on the safe side we explicitly - * lowercase the name. */ - lc_name = sss_tc_utf8_str_tolower(attrs, name); - if (lc_name == NULL) { - ret = ENOMEM; - goto done; - } - attrs->a.user.pw_name = sss_create_internal_fqname(attrs, - lc_name, + name, domain_name); - talloc_free(lc_name); if (attrs->a.user.pw_name == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ret = ENOMEM; @@ -969,21 +956,9 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, goto done; } - /* Winbind is not consistent with the case of the returned user - * name. In general all names should be lower case but there are - * bug in some version of winbind which might lead to upper case - * letters in the name. To be on the safe side we explicitly - * lowercase the name. */ - lc_name = sss_tc_utf8_str_tolower(attrs, name); - if (lc_name == NULL) { - ret = ENOMEM; - goto done; - } - attrs->a.group.gr_name = sss_create_internal_fqname(attrs, - lc_name, + name, domain_name); - talloc_free(lc_name); if (attrs->a.group.gr_name == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ret = ENOMEM;
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org