URL: https://github.com/freeipa/freeipa/pull/5991 Author: sumit-bose Title: #5991: extdom: return LDAP_NO_SUCH_OBJECT if domains differ Action: opened
PR body: """ If a client sends a request to lookup an object from a given trusted domain by UID or GID and an object with matching ID is only found in a different domain the extdom should return LDAP_NO_SUCH_OBJECT to indicate to the client that the requested ID does not exists in the given domain. Resolves: https://pagure.io/freeipa/issue/8965 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5991/head:pr5991 git checkout pr5991
From 78fc4aba2dc7f5278e53e8ad5faeb1869731b5b7 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Wed, 25 Aug 2021 17:10:29 +0200 Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ If a client sends a request to lookup an object from a given trusted domain by UID or GID and an object with matching ID is only found in a different domain the extdom should return LDAP_NO_SUCH_OBJECT to indicate to the client that the requested ID does not exists in the given domain. Resolves: https://pagure.io/freeipa/issue/8965 --- .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 5d97ff6137d..6f646b9f49e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { - ret = LDAP_INVALID_SYNTAX; + /* The found object is from a different domain than requested, + * that means it does not exist in the requested domain */ + ret = LDAP_NO_SUCH_OBJECT; goto done; } } @@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { - ret = LDAP_INVALID_SYNTAX; + /* The found object is from a different domain than requested, + * that means it does not exist in the requested domain */ + ret = LDAP_NO_SUCH_OBJECT; goto done; } }
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure