There are some test hints attached to the ticket.
---
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.

This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
 2) Default group posix, UPG disabled: gidNumber = default
    group gidNumber
 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
 4) Default group non-posix, UPG disabled: an error is printed to
    the dirsrv log as the gidNumber cannot be retrieved. User
    is replicated in the same way as before this patch, i.e.
    without essential object classes.

https://fedorahosted.org/freeipa/ticket/2436

>From cbce8ac48e02edf9f977acfd9fdb3cc64123fafe Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Tue, 6 Mar 2012 15:59:20 +0100
Subject: [PATCH] Treat UPGs correctly in winsync replication

IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.

This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
 1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
 2) Default group posix, UPG disabled: gidNumber = default
    group gidNumber
 3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
 4) Default group non-posix, UPG disabled: an error is printed to
    the dirsrv log as the gidNumber cannot be retrieved. User
    is replicated in the same way as before this patch, i.e.
    without essential object classes.

https://fedorahosted.org/freeipa/ticket/2436
---
 .../ipa-winsync/ipa-winsync-config.c               |   96 +++++++++++++++++---
 .../ipa-slapi-plugins/ipa-winsync/ipa-winsync.h    |    6 ++
 2 files changed, 91 insertions(+), 11 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
index 456a839aadf01634d657121e5d1e91373a5ccc0e..ae7adecb6e04b5a736fa04b458d51a6fa3860d05 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
@@ -58,6 +58,7 @@
 #include <dirsrv/winsync-plugin.h>
 #endif
 #include "ipa-winsync.h"
+#include "util.h"
 
 #include "plstr.h"
 
@@ -176,6 +177,72 @@ parse_acct_disable(const char *theval)
 }
 
 /*
+ * Check if User Private Groups are enabled in given IPA domain
+ * Returns: 0 - UPG are enabled
+ *          1 - UPG are disabled
+ *         -1 - some sort of error
+ */
+static int
+ipa_winsync_upg_enabled(const Slapi_DN *ds_subtree)
+{
+    int ret = -1;
+    int rc;
+    char * dn = NULL;
+    Slapi_Entry *entry = NULL;
+    Slapi_Backend *be;
+    const Slapi_DN *ds_suffix = NULL;
+    Slapi_DN *sdn = NULL;
+    const char *attrs_list[] = {IPA_WINSYNC_UPG_DEF_ATTR, 0};
+    char * value = NULL;
+
+    /* find ancestor base DN */
+    be = slapi_be_select(ds_subtree);
+    ds_suffix = slapi_be_getsuffix(be, 0);
+    if (ds_suffix == NULL) {
+        LOG_FATAL("Invalid DS subtree [%s]\n", slapi_sdn_get_dn(ds_subtree));
+        goto done;
+    }
+
+    dn = slapi_ch_smprintf(IPA_WINSYNC_UPG_DEF_DN, slapi_sdn_get_dn(ds_suffix));
+
+    if (!dn) {
+        LOG_OOM();
+        goto done;
+    }
+
+    sdn = slapi_sdn_new_dn_byref(dn);
+    rc = slapi_search_internal_get_entry(sdn, (char **) attrs_list, &entry,
+                                         ipa_winsync_get_plugin_identity());
+
+    if (rc) {
+        LOG("failed to retrieve UPG definition (%s) with rc %d\n", dn, rc);
+        goto done;
+    }
+
+    value = slapi_entry_attr_get_charptr(entry, IPA_WINSYNC_UPG_DEF_ATTR);
+
+    if (!value) {
+        LOG("failed to read %s from UPG definition (%s)\n",
+             IPA_WINSYNC_UPG_DEF_ATTR, dn);
+        goto done;
+    }
+
+    if (strstr(value, IPA_WINSYNC_UPG_DEF_DISABLED) == NULL) {
+        ret = 0;
+    } else {
+        ret = 1;
+    }
+
+done:
+    slapi_ch_free_string(&dn);
+    slapi_sdn_free(&sdn);
+    slapi_ch_free_string(&value);
+    slapi_entry_free(entry);
+
+    return ret;
+}
+
+/*
   Validate the pending changes in the e entry.
 */
 static int
@@ -792,6 +859,7 @@ ipa_winsync_config_refresh_domain(
     char *activated_filter = NULL;
     char *inactivated_group_dn = NULL;
     char *activated_group_dn = NULL;
+    int upg = -1;
 
     slapi_lock_mutex(theConfig.lock);
     realm_filter = slapi_ch_strdup(theConfig.realm_filter);
@@ -908,6 +976,9 @@ ipa_winsync_config_refresh_domain(
         goto out;
     }
 
+    /* check if User Private Groups are enabled */
+    upg = ipa_winsync_upg_enabled(ds_subtree);
+
     /* next, find the group whose name is default_group_name - construct the filter
        based on the filter attribute value - assumes the group name is stored
        in the cn attribute value, and the gidNumber in the gidNumber attribute value */
@@ -917,11 +988,17 @@ ipa_winsync_config_refresh_domain(
                                            real_group_filter, "gidNumber",
                                            NULL, &default_gid);
     if (!default_gid) {
-        /* error - could not find the default gidNumber */
-        LOG_FATAL("Error: could not find the entry containing the default gidNumber "
-                  "ds subtree [%s] filter [%s] attr [%s]\n",
-                  slapi_sdn_get_dn(ds_subtree), new_entry_filter, "gidNumber");
-        goto out;
+        /* error - could not find the default gidNumber
+           This is not a fatal error if User Private Groups (UPG) are enabled.
+         */
+        if (upg) {
+            LOG_FATAL("Error: could not find the entry containing the default gidNumber "
+                      "UPG [%d] ds subtree [%s] filter [%s] attr [%s]\n",
+                      ret, slapi_sdn_get_dn(ds_subtree), new_entry_filter, "gidNumber");
+            goto out;
+        } else {
+            ret = LDAP_SUCCESS;
+        }
     }
 
     /* If we are syncing account disable, we need to find the groups used
@@ -973,13 +1050,10 @@ ipa_winsync_config_refresh_domain(
     /* this copies new_user_objclasses */
     slapi_entry_add_valueset(iwdc->domain_e, "objectclass", new_user_objclasses);
 
-    /* set the default gid number */
-    sv = slapi_value_new_string_passin(default_gid);
-    default_gid = NULL; /* passin owns the memory */
-    if (!slapi_entry_attr_has_syntax_value(iwdc->domain_e, "gidNumber", sv)) {
-        slapi_entry_add_value(iwdc->domain_e,  "gidNumber", sv);
+    /* When UPG is disabled, set the default gid number */
+    if (upg && default_gid) {
+        slapi_entry_attr_set_charptr(iwdc->domain_e,  "gidNumber", default_gid);
     }
-    slapi_value_free(&sv);
 
     slapi_ch_free_string(&iwdc->inactivated_group_dn);
     iwdc->inactivated_group_dn = inactivated_group_dn;
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h
index 939e63c1b489afd66dd44b7efd9d43071be48bc0..664af32a703506ebe2ce5ea3abdd66466b63a8d5 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync.h
@@ -167,4 +167,10 @@ enum {
    with the same value for samAccountName will be synced
 */
 #define IPA_WINSYNC_FORCE_SYNC "ipaWinSyncForceSync"
+
+/* Path to UPG configuration */
+#define IPA_WINSYNC_UPG_DEF_DN "cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,%s"
+#define IPA_WINSYNC_UPG_DEF_ATTR "originfilter"
+#define IPA_WINSYNC_UPG_DEF_DISABLED "(objectclass=disable)"
+
 #endif /* IPA_WINSYNC_H */
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to