URL: https://github.com/SSSD/sssd/pull/5251
Author: pbrezina
Title: #5251: [wip] subdomains: allow to inherit case_sensitive=Preserving
Action: opened
PR body:
"""
The first patch is just man page update to reflect current state.
I think it makes sense to be able to show subdomain names in
their original casing. Patches 2-3 make it work for AD provider.
Patch 4 makes it work for IPA provider. There is apparantely a bug
in winbind, but there is no link the any bugzilla so I do not know
if it was already fixed. The commit is four years old. This patch
requires case_sensitive=Preserving to be set also on the server,
otherwise it does not work. It can be enabled without the server setting
but we need to make nss_cmd_getpwnam_ex (and other _ex commands) to
always return case preserving name. So before I continue the work
I'd like to ask @sumit-bose if we can do it like this.
Resolves:
https://github.com/SSSD/sssd/issues/5250
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5251/head:pr5251
git checkout pr5251
From 6c670ca88cfc6099b2f3050f9c35c11f097e0c89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 20 Jul 2020 13:06:51 +0200
Subject: [PATCH 1/4] man: add auto_private_groups to subdomain_inherit
This option can be inherited since 41c497b8b9e6efb9f2aa8e4cc869d465c3b954b3
---
src/man/sssd.conf.5.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 874a09c494..879452b284 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3307,6 +3307,9 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
ldap_krb5_keytab (the value of krb5_keytab will be
used if ldap_krb5_keytab is not set explicitly)
</para>
+ <para>
+ auto_private_groups
+ </para>
<para>
Example:
<programlisting>
From c5302f53449dacb0d83bfe14c3a8a48dd82dc2f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 21 Jul 2020 12:08:27 +0200
Subject: [PATCH 2/4] subdomains: allow to inherit case_sensitive=Preserving
Resolves:
https://github.com/SSSD/sssd/issues/5250
---
src/db/sysdb_subdomains.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index d256817a66..1f280f7c10 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -145,6 +145,14 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->ignore_group_members = parent->ignore_group_members;
}
+ /* Inherit case_sensitive. All subdomains are always case insensitive,
+ * but we want to inherit case preserving which is set with
+ * case_sensitive=Preserving. */
+ inherit_option = string_in_list(CONFDB_DOMAIN_CASE_SENSITIVE,
+ parent->sd_inherit, false);
+ dom->case_sensitive = false;
+ dom->case_preserve = inherit_option ? parent->case_preserve : false;
+
dom->trust_direction = trust_direction;
/* If the parent domain explicitly limits ID ranges, the subdomain
* should honour the limits as well.
@@ -156,14 +164,12 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->cache_credentials_min_ff_length =
parent->cache_credentials_min_ff_length;
dom->cached_auth_timeout = parent->cached_auth_timeout;
- dom->case_sensitive = false;
dom->user_timeout = parent->user_timeout;
dom->group_timeout = parent->group_timeout;
dom->netgroup_timeout = parent->netgroup_timeout;
dom->service_timeout = parent->service_timeout;
dom->resolver_timeout = parent->resolver_timeout;
dom->names = parent->names;
-
dom->override_homedir = parent->override_homedir;
dom->fallback_homedir = parent->fallback_homedir;
dom->subdomain_homedir = parent->subdomain_homedir;
From 391fce84ede1d4d11953ed06f0574887e58b715c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 21 Jul 2020 12:35:20 +0200
Subject: [PATCH 3/4] subdomains: allow to set case_sensitive=Preserving in
subdomain section
Resolves:
https://github.com/SSSD/sssd/issues/5250
---
src/db/sysdb_subdomains.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 1f280f7c10..24087cd73e 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -207,6 +207,7 @@ check_subdom_config_file(struct confdb_ctx *confdb,
struct sss_domain_info *subdomain)
{
char *sd_conf_path;
+ char *case_sensitive_opt;
TALLOC_CTX *tmp_ctx;
errno_t ret;
@@ -235,6 +236,38 @@ check_subdom_config_file(struct confdb_ctx *confdb,
sd_conf_path, CONFDB_DOMAIN_FQ,
subdomain->fqnames ? "TRUE" : "FALSE");
+ /* case_sensitive=Preserving */
+ ret = confdb_get_string(confdb, tmp_ctx, sd_conf_path,
+ CONFDB_DOMAIN_CASE_SENSITIVE, NULL,
+ &case_sensitive_opt);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_DOMAIN_CASE_SENSITIVE, subdomain->name);
+ goto done;
+ }
+
+ if (case_sensitive_opt != NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "%s/%s has value %s\n", sd_conf_path,
+ CONFDB_DOMAIN_CASE_SENSITIVE, case_sensitive_opt);
+ if (strcasecmp(case_sensitive_opt, "true") == 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Warning: subdomain can not be set as case-sensitive.\n");
+ subdomain->case_sensitive = false;
+ subdomain->case_preserve = false;
+ } else if (strcasecmp(case_sensitive_opt, "false") == 0) {
+ subdomain->case_sensitive = false;
+ subdomain->case_preserve = false;
+ } else if (strcasecmp(case_sensitive_opt, "preserving") == 0) {
+ subdomain->case_sensitive = false;
+ subdomain->case_preserve = true;
+ } else {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE);
+ goto done;
+ }
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
From 3e26d2e1530f7ff24d785e7803506a1a9aa3dde6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 21 Jul 2020 12:35:50 +0200
Subject: [PATCH 4/4] subdomains: allow to inherit case_sensitive=Preserving
for IPA
Resolves:
https://github.com/SSSD/sssd/issues/5250
---
src/providers/ipa/ipa_s2n_exop.c | 29 ++---------------------------
1 file changed, 2 insertions(+), 27 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index c3e1acb487..baf7d6a870 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -865,7 +865,6 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
enum response_types type;
char *domain_name = NULL;
char *name = NULL;
- char *lc_name = NULL;
uid_t uid;
gid_t gid;
struct resp_attrs *attrs = NULL;
@@ -920,21 +919,9 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Winbind is not consistent with the case of the returned user
- * name. In general all names should be lower case but there are
- * bug in some version of winbind which might lead to upper case
- * letters in the name. To be on the safe side we explicitly
- * lowercase the name. */
- lc_name = sss_tc_utf8_str_tolower(attrs, name);
- if (lc_name == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
attrs->a.user.pw_name = sss_create_internal_fqname(attrs,
- lc_name,
+ name,
domain_name);
- talloc_free(lc_name);
if (attrs->a.user.pw_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
ret = ENOMEM;
@@ -969,21 +956,9 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Winbind is not consistent with the case of the returned user
- * name. In general all names should be lower case but there are
- * bug in some version of winbind which might lead to upper case
- * letters in the name. To be on the safe side we explicitly
- * lowercase the name. */
- lc_name = sss_tc_utf8_str_tolower(attrs, name);
- if (lc_name == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
attrs->a.group.gr_name = sss_create_internal_fqname(attrs,
- lc_name,
+ name,
domain_name);
- talloc_free(lc_name);
if (attrs->a.group.gr_name == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
ret = ENOMEM;
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
