URL: https://github.com/SSSD/sssd/pull/5251 Author: pbrezina Title: #5251: subdomains: allow to inherit case_sensitive=Preserving Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5251/head:pr5251 git checkout pr5251
From df998e5b245bbb8a9e5fdd49ad137913d7b49fe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 20 Jul 2020 13:06:51 +0200 Subject: [PATCH 1/5] man: add auto_private_groups to subdomain_inherit This option can be inherited since 41c497b8b9e6efb9f2aa8e4cc869d465c3b954b3 --- src/man/sssd.conf.5.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 8b330de584..16632f9900 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -3371,6 +3371,9 @@ pam_gssapi_services = sudo, sudo-i ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab is not set explicitly) </para> + <para> + auto_private_groups + </para> <para> Example: <programlisting> From 432658dd495629716ac2b2582c22f8fdbaa5e1e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 21 Jul 2020 12:08:27 +0200 Subject: [PATCH 2/5] subdomains: allow to inherit case_sensitive=Preserving Resolves: https://github.com/SSSD/sssd/issues/5250 :feature: `case_sensitive` option can be now inherited by subdomains --- src/db/sysdb_subdomains.c | 10 ++++++++-- src/man/sssd.conf.5.xml | 3 +++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 03ba121646..ed3e7055c3 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -157,6 +157,14 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->ignore_group_members = parent->ignore_group_members; } + /* Inherit case_sensitive. All subdomains are always case insensitive, + * but we want to inherit case preserving which is set with + * case_sensitive=Preserving. */ + inherit_option = string_in_list(CONFDB_DOMAIN_CASE_SENSITIVE, + parent->sd_inherit, false); + dom->case_sensitive = false; + dom->case_preserve = inherit_option ? parent->case_preserve : false; + dom->trust_direction = trust_direction; /* If the parent domain explicitly limits ID ranges, the subdomain * should honour the limits as well. @@ -168,14 +176,12 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->cache_credentials_min_ff_length = parent->cache_credentials_min_ff_length; dom->cached_auth_timeout = parent->cached_auth_timeout; - dom->case_sensitive = false; dom->user_timeout = parent->user_timeout; dom->group_timeout = parent->group_timeout; dom->netgroup_timeout = parent->netgroup_timeout; dom->service_timeout = parent->service_timeout; dom->resolver_timeout = parent->resolver_timeout; dom->names = parent->names; - dom->override_homedir = parent->override_homedir; dom->fallback_homedir = parent->fallback_homedir; dom->subdomain_homedir = parent->subdomain_homedir; diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 16632f9900..b4d3f08c80 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -3374,6 +3374,9 @@ pam_gssapi_services = sudo, sudo-i <para> auto_private_groups </para> + <para> + case_sensitive + </para> <para> Example: <programlisting> From c36bd72e5413b1093eca832942b10da668e8600c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 21 Jul 2020 12:35:20 +0200 Subject: [PATCH 3/5] subdomains: allow to set case_sensitive=Preserving in subdomain section Resolves: https://github.com/SSSD/sssd/issues/5250 :feature: `case_sensitive` can be now set separately for each subdomain in `[domain/parent/subdomain]` section :feature: `case_sensitive=Preserving` can now be set for trusted domains with AD provider --- src/db/sysdb_subdomains.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index ed3e7055c3..c0a676d491 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -221,6 +221,7 @@ check_subdom_config_file(struct confdb_ctx *confdb, struct sss_domain_info *subdomain) { char *sd_conf_path; + char *case_sensitive_opt; TALLOC_CTX *tmp_ctx; errno_t ret; @@ -272,6 +273,38 @@ check_subdom_config_file(struct confdb_ctx *confdb, goto done; } + /* case_sensitive=Preserving */ + ret = confdb_get_string(confdb, tmp_ctx, sd_conf_path, + CONFDB_DOMAIN_CASE_SENSITIVE, NULL, + &case_sensitive_opt); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get %s option for the subdomain: %s\n", + CONFDB_DOMAIN_CASE_SENSITIVE, subdomain->name); + goto done; + } + + if (case_sensitive_opt != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "%s/%s has value %s\n", sd_conf_path, + CONFDB_DOMAIN_CASE_SENSITIVE, case_sensitive_opt); + if (strcasecmp(case_sensitive_opt, "true") == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Warning: subdomain can not be set as case-sensitive.\n"); + subdomain->case_sensitive = false; + subdomain->case_preserve = false; + } else if (strcasecmp(case_sensitive_opt, "false") == 0) { + subdomain->case_sensitive = false; + subdomain->case_preserve = false; + } else if (strcasecmp(case_sensitive_opt, "preserving") == 0) { + subdomain->case_sensitive = false; + subdomain->case_preserve = true; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE); + goto done; + } + } + ret = EOK; done: talloc_free(tmp_ctx); From bc5541b6c1eef9bbc17472cfcdeb6012db55bf0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 21 Jul 2020 12:35:50 +0200 Subject: [PATCH 4/5] subdomains: allow to inherit case_sensitive=Preserving for IPA Resolves: https://github.com/SSSD/sssd/issues/5250 :feature: `case_sensitive=Preserving` can now be set for trusted domains with IPA provider. However, the option needs to be set to `Preserving` on both client and the server for it to take effect. --- src/providers/ipa/ipa_s2n_exop.c | 81 +++++++++++++++++++------------- 1 file changed, 48 insertions(+), 33 deletions(-) diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index fb93c6233a..08b1113fa0 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -844,6 +844,46 @@ static errno_t add_v1_group_data(BerElement *ber, return ret; } +static char *s2n_response_to_attrs_fqname(TALLOC_CTX *mem_ctx, + enum extdom_protocol protocol, + const char *domain_name, + const char *name) +{ + char *lc_name; + char *out_name; + + if (protocol == EXTDOM_V0) { + /* Compatibility with older IPA servers that may use winbind instead + * of SSSD's server mode. + * + * Winbind is not consistent with the case of the returned user + * name. In general all names should be lower case but there are + * bug in some version of winbind which might lead to upper case + * letters in the name. To be on the safe side we explicitly + * lowercase the name. + */ + + lc_name = sss_tc_utf8_str_tolower(NULL, name); + if (lc_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + return NULL; + } + + out_name = sss_create_internal_fqname(mem_ctx, lc_name, domain_name); + talloc_free(lc_name); + } else { + /* Keep the original casing to support case_sensitive=Preserving */ + out_name = sss_create_internal_fqname(mem_ctx, name, domain_name); + } + + if (out_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + return NULL; + } + + return out_name; +} + static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, struct req_input *req_input, struct resp_attrs *attrs, @@ -865,7 +905,6 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, enum response_types type; char *domain_name = NULL; char *name = NULL; - char *lc_name = NULL; uid_t uid; gid_t gid; struct resp_attrs *attrs = NULL; @@ -920,23 +959,11 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, goto done; } - /* Winbind is not consistent with the case of the returned user - * name. In general all names should be lower case but there are - * bug in some version of winbind which might lead to upper case - * letters in the name. To be on the safe side we explicitly - * lowercase the name. */ - lc_name = sss_tc_utf8_str_tolower(attrs, name); - if (lc_name == NULL) { - ret = ENOMEM; - goto done; - } - - attrs->a.user.pw_name = sss_create_internal_fqname(attrs, - lc_name, - domain_name); - talloc_free(lc_name); + attrs->a.user.pw_name = s2n_response_to_attrs_fqname(attrs, + protocol, + domain_name, + name); if (attrs->a.user.pw_name == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ret = ENOMEM; goto done; } @@ -969,23 +996,11 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, goto done; } - /* Winbind is not consistent with the case of the returned user - * name. In general all names should be lower case but there are - * bug in some version of winbind which might lead to upper case - * letters in the name. To be on the safe side we explicitly - * lowercase the name. */ - lc_name = sss_tc_utf8_str_tolower(attrs, name); - if (lc_name == NULL) { - ret = ENOMEM; - goto done; - } - - attrs->a.group.gr_name = sss_create_internal_fqname(attrs, - lc_name, - domain_name); - talloc_free(lc_name); + attrs->a.group.gr_name = s2n_response_to_attrs_fqname(attrs, + protocol, + domain_name, + name); if (attrs->a.group.gr_name == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); ret = ENOMEM; goto done; } From 0a1207633ddc03299332f9b5d23813eda13551bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 25 Jan 2021 11:44:40 +0100 Subject: [PATCH 5/5] man: update case_sensitive documentation to reflect changes for subdomains --- src/man/sssd.conf.5.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index b4d3f08c80..812d96ebda 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -3336,10 +3336,21 @@ pam_gssapi_services = sudo, sudo-i protocol names) are still lowercased in the output. </para> + <para> + If you want to set this value for + trusted domain with IPA provider, you + need to set it on both the client and + SSSD on the server. + </para> </listitem> </varlistentry> </variablelist> </para> + <para> + This option can be also set per subdomain or + inherited via + <emphasis>subdomain_inherit</emphasis>. + </para> <para> Default: True (False for AD provider) </para>
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org