Hi,

This set of patches deals with bugs and extensions of ipa_range_check
plugin.

See commit messages for details.

Parts of: https://fedorahosted.org/freeipa/ticket/4137

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 


>From 43cd26a0a42c3b18e4dbb5c6ed0f20ee1562b98a Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 16 Apr 2014 17:15:55 +0200
Subject: [PATCH] ipa_range_check: Use special attributes to determine presence
 of RID bases

The slapi_entry_attr_get_ulong which is used to get value of the RID base
attributes returns 0 in case the attribute is not set at all. We need
to distinguish this situation from the situation where RID base attributes
are present, but deliberately set to 0.

Otherwise this can cause false negative results of checks in the range_check
plugin.

Part of: https://fedorahosted.org/freeipa/ticket/4137
---
 .../ipa-range-check/ipa_range_check.c              | 40 +++++++++++++++++-----
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index da5169e6e9bf74d5fbbf3aea40ee3e1a2c8f6016..68948f599aa4e6d21b071424ab27e3c62c0afefe 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -88,6 +88,8 @@ struct range_info {
     uint32_t id_range_size;
     uint32_t base_rid;
     uint32_t secondary_base_rid;
+    bool base_rid_set;
+    bool secondary_base_rid_set;
 };
 
 static void free_range_info(struct range_info *range) {
@@ -281,6 +283,7 @@ static int slapi_entry_to_range_info(struct domain_info *domain_info_head,
     int ret;
     unsigned long ul_val;
     struct range_info *range = NULL;
+    Slapi_Attr *attr;
 
     range = calloc(1, sizeof(struct range_info));
     if (range == NULL) {
@@ -326,6 +329,20 @@ static int slapi_entry_to_range_info(struct domain_info *domain_info_head,
     }
     range->secondary_base_rid = ul_val;
 
+    if (slapi_entry_attr_find(entry, IPA_BASE_RID, &attr) == -1) {
+        range->base_rid_set = false;
+    }
+    else {
+        range->base_rid_set = true;
+    }
+
+    if (slapi_entry_attr_find(entry, IPA_SECONDARY_BASE_RID, &attr) == -1) {
+        range->secondary_base_rid_set = false;
+    }
+    else {
+        range->secondary_base_rid_set = true;
+    }
+
     *_range = range;
     ret = 0;
 
@@ -398,12 +415,14 @@ static int check_ranges(struct range_info *r1, struct range_info *r2)
 
         /* For ipa-local or ipa-ad-trust range types primary RID ranges should
          * not overlap */
+
         if (strcasecmp(r1->id_range_type, AD_TRUST_RANGE_TYPE) == 0 ||
             strcasecmp(r1->id_range_type, LOCAL_RANGE_TYPE) == 0) {
 
-            /* Check if rid range overlaps with existing rid range */
-            if (intervals_overlap(r1->base_rid, r2->base_rid,
-                r1->id_range_size, r2->id_range_size))
+            /* Check if primary rid range overlaps with existing primary rid range */
+            if ((r1->base_rid_set && r2->base_rid_set) &&
+                intervals_overlap(r1->base_rid, r2->base_rid,
+                                  r1->id_range_size, r2->id_range_size))
                 return 2;
         }
 
@@ -412,18 +431,21 @@ static int check_ranges(struct range_info *r1, struct range_info *r2)
 
             /* Check if secondary RID range overlaps with existing secondary or
              * primary RID range. */
-            if (intervals_overlap(r1->secondary_base_rid,
-                r2->secondary_base_rid, r1->id_range_size, r2->id_range_size))
+            if ((r1->secondary_base_rid_set && r2->secondary_base_rid_set) &&
+                intervals_overlap(r1->secondary_base_rid, r2->secondary_base_rid,
+                                  r1->id_range_size, r2->id_range_size))
                 return 3;
 
             /* Check if RID range overlaps with existing secondary RID range */
-            if (intervals_overlap(r1->base_rid, r2->secondary_base_rid,
-                r1->id_range_size, r2->id_range_size))
+            if ((r1->base_rid_set && r2->secondary_base_rid_set) &&
+                intervals_overlap(r1->base_rid, r2->secondary_base_rid,
+                                  r1->id_range_size, r2->id_range_size))
                 return 4;
 
             /* Check if secondary RID range overlaps with existing RID range */
-            if (intervals_overlap(r1->secondary_base_rid, r2->base_rid,
-                r1->id_range_size, r2->id_range_size))
+            if ((r1->secondary_base_rid_set && r2->base_rid_set) &&
+                intervals_overlap(r1->secondary_base_rid, r2->base_rid,
+                                  r1->id_range_size, r2->id_range_size))
                 return 5;
             }
     }
-- 
1.8.5.3

>From d714f77f1f162d1c7daeecf7a340f95ed3368f2d Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 16 Apr 2014 17:20:55 +0200
Subject: [PATCH] ipa_range_check: Connect the new node of the linked list

Part of: https://fedorahosted.org/freeipa/ticket/4137
---
 daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index 68948f599aa4e6d21b071424ab27e3c62c0afefe..20961d8810448a46514ab82c8cdc318e014db4fc 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -131,6 +131,7 @@ static int map_domain_to_root(struct domain_info **head,
     new_head->forest_root_id = slapi_entry_attr_get_charptr(root_domain,
                                                             IPA_DOMAIN_ID);
     new_head->next = *head;
+    *head = new_head;
 
     return 0;
 }
-- 
1.8.5.3

>From 632c0ed1fca2cb48b981f6daac55badd59c9c263 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 16 Apr 2014 17:22:46 +0200
Subject: [PATCH] ipa_range_check: Make a new copy of forest_root_id attribute
 for range_info struct

Not making a new copy of this attribute creates multiple frees caused by multiple
pointers to the same forest_root_id from all the range_info structs for all the
domains belonging to given forest.

Part of: https://fedorahosted.org/freeipa/ticket/4137
---
 daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index 20961d8810448a46514ab82c8cdc318e014db4fc..e2affbd47dc54fb6180cffe842dc2395cf482f52 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -147,7 +147,7 @@ static char* get_forest_root_id(struct domain_info *head, char* domain_id) {
     if (domain_id != NULL) {
         while(head) {
             if (strcasecmp(head->domain_id, domain_id) == 0) {
-                return head->forest_root_id;
+                return slapi_ch_strdup(head->forest_root_id);
             }
             head = head->next;
         }
-- 
1.8.5.3

>From ed60bd0e865aad85eb1ffa02d8aea7f76220c65c Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 16 Apr 2014 17:26:07 +0200
Subject: [PATCH] ipa_range_check: Do not fail when no trusted domain is
 available

When building the domain to forest root map, we need to take the case
of IPA server having no trusted domains configured at all. Do not abort
the checks, but return an empty map instead.

Part of: https://fedorahosted.org/freeipa/ticket/4137
---
 daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index e2affbd47dc54fb6180cffe842dc2395cf482f52..b05b121f0e9cbc6fb6422b4d50f96cb7e86cda07 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -173,6 +173,8 @@ static int build_domain_to_forest_root_map(struct domain_info **head,
     int search_result;
     int ret = 0;
 
+    LOG("Building forest root map \n");
+
     /* Set the base DN for the search to cn=ad, cn=trusts, $SUFFIX */
     ret = asprintf(&base, "cn=ad,cn=trusts,%s", ctx->base_dn);
     if (ret == -1) {
@@ -211,8 +213,14 @@ static int build_domain_to_forest_root_map(struct domain_info **head,
 
     ret = slapi_pblock_get(trusted_domain_search_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result);
     if (ret != 0 || search_result != LDAP_SUCCESS) {
-        LOG_FATAL("Internal search failed.\n");
-        ret = LDAP_OPERATIONS_ERROR;
+
+        /* If the search for the trusted domains fails,
+         * AD Trust support on IPA server is not available */
+
+        LOG("No trusts support on IPA server.\n");
+        ret = 0;
+        *head = NULL;
+
         goto done;
     }
 
-- 
1.8.5.3

>From 96f27c06f062dcfaa40405c50ad087d6013dc62c Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 16 Apr 2014 17:28:34 +0200
Subject: [PATCH] ipa_range_check: Fix typo when comparing strings using
 strcasecmp

Part of: https://fedorahosted.org/freeipa/ticket/4137
---
 daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index b05b121f0e9cbc6fb6422b4d50f96cb7e86cda07..794e7f3c81c283897059da28b52d7be93e8eb15b 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -397,10 +397,10 @@ static int check_ranges(struct range_info *r1, struct range_info *r2)
 
     /* Check if base range overlaps with existing base range.
      * Exception: ipa-ad-trust-posix ranges from the same forest */
-    if (!(strcasecmp(r1->id_range_type, AD_TRUST_POSIX_RANGE_TYPE) &&
-          strcasecmp(r2->id_range_type, AD_TRUST_POSIX_RANGE_TYPE) &&
-          r1->forest_root_id != NULL && r2->forest_root_id !=NULL &&
-          strcasecmp(r1->forest_root_id, r2->forest_root_id) == 0)) {
+    if (!((strcasecmp(r1->id_range_type, AD_TRUST_POSIX_RANGE_TYPE) == 0) &&
+          (strcasecmp(r2->id_range_type, AD_TRUST_POSIX_RANGE_TYPE) == 0) &&
+          (r1->forest_root_id != NULL && r2->forest_root_id != NULL) &&
+          (strcasecmp(r1->forest_root_id, r2->forest_root_id) == 0))) {
 
         if (intervals_overlap(r1->base_id, r2->base_id,
             r1->id_range_size, r2->id_range_size)){
-- 
1.8.5.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to