Since we remove the use of CoS for (in)active users, the ipa_winsync plugin was broken when configured to synchronize (in)active user status (the default).
Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 6d43c9d3b66ae95a4cd8ecf35d785ca4d239ef29 Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Fri, 25 Feb 2011 16:56:15 -0500 Subject: [PATCH 5/8] Make activated/inactivated groups optional directly change nsAccountLock on the entry if they are not used Fixes: https://fedorahosted.org/freeipa/ticket/1021 --- .../ipa-winsync/ipa-winsync-conf.ldif | 2 - .../ipa-winsync/ipa-winsync-config.c | 68 +++++++++++--------- .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.c | 4 +- 3 files changed, 40 insertions(+), 34 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif index 42026221d19133bba733114c388227635469ac90..b646c2b10db1eabda747d587a0d176b6afae63e7 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif @@ -23,8 +23,6 @@ ipaWinsyncLoginShellAttr: ipaDefaultLoginShell ipaWinSyncDefaultGroupAttr: ipaDefaultPrimaryGroup ipaWinSyncDefaultGroupFilter: (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames) ipaWinSyncAcctDisable: both -ipaWinSyncInactivatedFilter: (&(cn=inactivated)(objectclass=groupOfNames)) -ipaWinSyncActivatedFilter: (&(cn=activated)(objectclass=groupOfNames)) ipaWinSyncForceSync: true ipaWinSyncUserAttr: uidNumber 999 ipaWinSyncUserAttr: gidNumber 999 diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c index b089d3d1486e7d5420b204a8de3eb2118cf05af9..450375ddc0289a9df84361f3205e882a6dbd1a97 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c @@ -339,19 +339,17 @@ ipa_winsync_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_E &testattr) || (NULL == testattr)) { PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, - "Error: no value given for %s - " - "required for account disable sync", + "No value given for %s - required for account " + "disable sync, ignoring", IPA_WINSYNC_INACTIVATED_FILTER); - goto done2; } if (slapi_entry_attr_find(e, IPA_WINSYNC_ACTIVATED_FILTER, &testattr) || (NULL == testattr)) { PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, - "Error: no value given for %s - " - "required for account disable sync", + "No value given for %s - required for account " + "disable sync, ignoring", IPA_WINSYNC_ACTIVATED_FILTER); - goto done2; } } @@ -507,17 +505,17 @@ ipa_winsync_apply_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, if (!(inactivated_filter = slapi_entry_attr_get_charptr( e, IPA_WINSYNC_INACTIVATED_FILTER))) { PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, - "Error: no value given for %s - required for account disable sync", + "No value given for %s - required for account " + "disable sync, ignoring", IPA_WINSYNC_INACTIVATED_FILTER); - goto done3; } /* get activated group filter */ if (!(activated_filter = slapi_entry_attr_get_charptr( e, IPA_WINSYNC_ACTIVATED_FILTER))) { PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, - "Error: no value given for %s - required for account disable sync", + "No value given for %s - required for account " + "disable sync, ignoring", IPA_WINSYNC_ACTIVATED_FILTER); - goto done3; } } @@ -808,8 +806,12 @@ ipa_winsync_config_refresh_domain( default_group_filter = slapi_ch_strdup(theConfig.default_group_filter); acct_disable = theConfig.acct_disable; if (acct_disable != ACCT_DISABLE_NONE) { - inactivated_filter = slapi_ch_strdup(theConfig.inactivated_filter); - activated_filter = slapi_ch_strdup(theConfig.activated_filter); + if (theConfig.inactivated_filter) { + inactivated_filter = slapi_ch_strdup(theConfig.inactivated_filter); + } + if (theConfig.activated_filter) { + activated_filter = slapi_ch_strdup(theConfig.activated_filter); + } } slapi_unlock_mutex(theConfig.lock); @@ -930,25 +932,29 @@ ipa_winsync_config_refresh_domain( */ if (acct_disable != ACCT_DISABLE_NONE) { - ret = internal_find_entry_get_attr_val(config_dn, search_scope, - inactivated_filter, "dn", - NULL, &inactivated_group_dn); - if (!inactivated_group_dn) { - /* error - could not find the inactivated group dn */ - LOG_FATAL("Error: could not find the DN of the inactivated users group " - "ds subtree [%s] filter [%s]\n", - slapi_sdn_get_dn(ds_subtree), inactivated_filter); - goto out; + if (inactivated_filter) { + ret = internal_find_entry_get_attr_val(config_dn, search_scope, + inactivated_filter, "dn", + NULL, &inactivated_group_dn); + if (!inactivated_group_dn) { + /* error - could not find the inactivated group dn */ + LOG("Could not find the DN of the inactivated users group ds " + "subtree [%s] filter [%s]. Ignoring\n", + slapi_sdn_get_dn(ds_subtree), inactivated_filter); + goto out; + } } - ret = internal_find_entry_get_attr_val(config_dn, search_scope, - activated_filter, "dn", - NULL, &activated_group_dn); - if (!activated_group_dn) { - /* error - could not find the activated group dn */ - LOG_FATAL("Error: could not find the DN of the activated users group " - "ds subtree [%s] filter [%s]\n", - slapi_sdn_get_dn(ds_subtree), activated_filter); - goto out; + if (activated_filter) { + ret = internal_find_entry_get_attr_val(config_dn, search_scope, + activated_filter, "dn", + NULL, &activated_group_dn); + if (!activated_group_dn) { + /* error - could not find the activated group dn */ + LOG("Could not find the DN of the activated users group ds " + "subtree [%s] filter [%s]. Ignoring\n", + slapi_sdn_get_dn(ds_subtree), activated_filter); + goto out; + } } } @@ -981,7 +987,7 @@ ipa_winsync_config_refresh_domain( slapi_ch_free_string(&iwdc->activated_group_dn); iwdc->activated_group_dn = activated_group_dn; activated_group_dn = NULL; - + out: slapi_valueset_free(new_user_objclasses); slapi_sdn_free(&config_dn); diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c index b98a34d1fdefd454e1c1eb600513176a39892b26..2644a01088c84b7ec0de3a065d90936ff151c08e 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c +++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.c @@ -885,7 +885,9 @@ sync_acct_disable( } if (direction == ACCT_DISABLE_TO_DS) { - if (!isvirt) { + if (!isvirt || + (ad_is_enabled && (ipaconfig->activated_group_dn == NULL)) || + (!ad_is_enabled && (ipaconfig->inactivated_group_dn == NULL))) { char *attrtype = NULL; char *attrval = NULL; attrtype = "nsAccountLock"; -- 1.7.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel