Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On 09/29/2014 07:01 PM, Jakub Hrozek wrote: On Mon, Sep 29, 2014 at 06:16:30PM +0200, Sumit Bose wrote: Hi, Jakub found another issue which is fixed with this new version. bye, Sumit and now with patch ... Thank you, ACK Pushed to: master: 3c75b9171e5721097f6ba2855e41f0e4129b907b ipa-4-1: 2006d8759b767364031052480a3fc8947dea0998 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Thu, Sep 25, 2014 at 01:46:00PM +0200, Sumit Bose wrote:
On Wed, Sep 24, 2014 at 03:23:54PM +0200, Jakub Hrozek wrote:
On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote:
Hi,
this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and
with the corresponding SSSD part it would be possible to get the full
list of group memberships with the id command even for user who didn't
log in before.
bye,
Sumit
So far I only read the patch, no testing was done yet (I'm installing a
separate VM where I'll keep this new plugin for easy comparison and
backwards-compatibility testing)
Thank you for the review, please see comments below.
First, there are some Coverity warnings:
Error: USE_AFTER_FREE (CWE-825):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242:
alias: Assigning: groups = new_groups. Now both point to the same
storage.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246:
freed_arg: free(void *) frees groups.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252:
use_after_free: Using freed pointer groups.
fixed
Error: CONSTANT_EXPRESSION_RESULT (CWE-398):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596:
missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true
regardless of the values of its operands. Did you intend to either negate
the entire comparison expression, in which case parentheses would be
required around the entire comparison expression to force that
interpretation, or negate the sense of the comparison (that is, use '=='
rather than '!=')? This occurs as the logical second operand of '||'.
fixed
Error: DEADCODE (CWE-561):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_single: Condition request_type == 1U, taking false branch.
Now the value of request_type cannot be equal to 1.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_set: Condition request_type == 3U, taking false branch. Now
the value of request_type cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
cannot_set: At condition request_type == 1U, the value of request_type
cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
dead_error_condition: The condition request_type == 1U cannot be true.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607:
dead_error_line: Execution cannot reach this statement ret =
pack_ber_sid(sid_str,
I thik this is a result of the CONSTANT_EXPRESSION_RESULT issue, since I
fixed it this warning should be gone as well.
See some comments inline.
From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 23 Sep 2014 15:55:43 +0200
Subject: [PATCH] extdom: add support for new version
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.
With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.
https://fedorahosted.org/freeipa/ticket/4031
---
.../ipa-extdom-extop/ipa_extdom.h | 29 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 850
+++--
.../ipa-extdom-extop/ipa_extdom_extop.c| 28 +-
3 files changed, 640 insertions(+), 267 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index
5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -64,6 +64,7 @@
#include sss_nss_idmap.h
#define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4
+#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1
It's a bit odd that this control is called V1 in the SSSD tree and V2 in
the IPA tree. It's not wrong, just strange maybe.
you are right, I renamed the versions here.
-int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
- struct extdom_res **res)
+int check_request(struct extdom_req *req, enum extdom_version version)
+{
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Mon, Sep 29, 2014 at 06:15:21PM +0200, Sumit Bose wrote:
On Thu, Sep 25, 2014 at 01:46:00PM +0200, Sumit Bose wrote:
On Wed, Sep 24, 2014 at 03:23:54PM +0200, Jakub Hrozek wrote:
On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote:
Hi,
this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and
with the corresponding SSSD part it would be possible to get the full
list of group memberships with the id command even for user who didn't
log in before.
bye,
Sumit
So far I only read the patch, no testing was done yet (I'm installing a
separate VM where I'll keep this new plugin for easy comparison and
backwards-compatibility testing)
Thank you for the review, please see comments below.
First, there are some Coverity warnings:
Error: USE_AFTER_FREE (CWE-825):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242:
alias: Assigning: groups = new_groups. Now both point to the same
storage.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246:
freed_arg: free(void *) frees groups.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252:
use_after_free: Using freed pointer groups.
fixed
Error: CONSTANT_EXPRESSION_RESULT (CWE-398):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596:
missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true
regardless of the values of its operands. Did you intend to either negate
the entire comparison expression, in which case parentheses would be
required around the entire comparison expression to force that
interpretation, or negate the sense of the comparison (that is, use '=='
rather than '!=')? This occurs as the logical second operand of '||'.
fixed
Error: DEADCODE (CWE-561):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_single: Condition request_type == 1U, taking false branch.
Now the value of request_type cannot be equal to 1.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_set: Condition request_type == 3U, taking false branch.
Now the value of request_type cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
cannot_set: At condition request_type == 1U, the value of
request_type cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
dead_error_condition: The condition request_type == 1U cannot be true.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607:
dead_error_line: Execution cannot reach this statement ret =
pack_ber_sid(sid_str,
I thik this is a result of the CONSTANT_EXPRESSION_RESULT issue, since I
fixed it this warning should be gone as well.
See some comments inline.
From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 23 Sep 2014 15:55:43 +0200
Subject: [PATCH] extdom: add support for new version
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.
With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of
a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.
https://fedorahosted.org/freeipa/ticket/4031
---
.../ipa-extdom-extop/ipa_extdom.h | 29 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 850
+++--
.../ipa-extdom-extop/ipa_extdom_extop.c| 28 +-
3 files changed, 640 insertions(+), 267 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index
5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -64,6 +64,7 @@
#include sss_nss_idmap.h
#define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4
+#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1
It's a bit odd that this control is called V1 in the SSSD tree and V2 in
the IPA tree. It's not wrong, just strange maybe.
you are right, I renamed the versions here.
-int handle_request(struct
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Mon, Sep 29, 2014 at 06:16:30PM +0200, Sumit Bose wrote: Hi, Jakub found another issue which is fixed with this new version. bye, Sumit and now with patch ... Thank you, ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Wed, Sep 24, 2014 at 03:23:54PM +0200, Jakub Hrozek wrote:
On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote:
Hi,
this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and
with the corresponding SSSD part it would be possible to get the full
list of group memberships with the id command even for user who didn't
log in before.
bye,
Sumit
So far I only read the patch, no testing was done yet (I'm installing a
separate VM where I'll keep this new plugin for easy comparison and
backwards-compatibility testing)
Thank you for the review, please see comments below.
First, there are some Coverity warnings:
Error: USE_AFTER_FREE (CWE-825):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242:
alias: Assigning: groups = new_groups. Now both point to the same
storage.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246:
freed_arg: free(void *) frees groups.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252:
use_after_free: Using freed pointer groups.
fixed
Error: CONSTANT_EXPRESSION_RESULT (CWE-398):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596:
missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true regardless
of the values of its operands. Did you intend to either negate the entire
comparison expression, in which case parentheses would be required around the
entire comparison expression to force that interpretation, or negate the
sense of the comparison (that is, use '==' rather than '!=')? This occurs as
the logical second operand of '||'.
fixed
Error: DEADCODE (CWE-561):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_single: Condition request_type == 1U, taking false branch. Now
the value of request_type cannot be equal to 1.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_set: Condition request_type == 3U, taking false branch. Now
the value of request_type cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
cannot_set: At condition request_type == 1U, the value of request_type
cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
dead_error_condition: The condition request_type == 1U cannot be true.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607:
dead_error_line: Execution cannot reach this statement ret =
pack_ber_sid(sid_str,
I thik this is a result of the CONSTANT_EXPRESSION_RESULT issue, since I
fixed it this warning should be gone as well.
See some comments inline.
From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 23 Sep 2014 15:55:43 +0200
Subject: [PATCH] extdom: add support for new version
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.
With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.
https://fedorahosted.org/freeipa/ticket/4031
---
.../ipa-extdom-extop/ipa_extdom.h | 29 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 850
+++--
.../ipa-extdom-extop/ipa_extdom_extop.c| 28 +-
3 files changed, 640 insertions(+), 267 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index
5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -64,6 +64,7 @@
#include sss_nss_idmap.h
#define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4
+#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1
It's a bit odd that this control is called V1 in the SSSD tree and V2 in
the IPA tree. It's not wrong, just strange maybe.
you are right, I renamed the versions here.
-int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
- struct extdom_res **res)
+int check_request(struct extdom_req *req, enum extdom_version version)
+{
+if (version == EXTDOM_V1) {
+if (req-request_type == REQ_FULL_WITH_GROUPS) {
+return LDAP_PROTOCOL_ERROR;
+}
+}
Any
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote:
Hi,
this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and
with the corresponding SSSD part it would be possible to get the full
list of group memberships with the id command even for user who didn't
log in before.
bye,
Sumit
So far I only read the patch, no testing was done yet (I'm installing a
separate VM where I'll keep this new plugin for easy comparison and
backwards-compatibility testing)
First, there are some Coverity warnings:
Error: USE_AFTER_FREE (CWE-825):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242:
alias: Assigning: groups = new_groups. Now both point to the same storage.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246:
freed_arg: free(void *) frees groups.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252:
use_after_free: Using freed pointer groups.
Error: CONSTANT_EXPRESSION_RESULT (CWE-398):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596:
missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true regardless
of the values of its operands. Did you intend to either negate the entire
comparison expression, in which case parentheses would be required around the
entire comparison expression to force that interpretation, or negate the sense
of the comparison (that is, use '==' rather than '!=')? This occurs as the
logical second operand of '||'.
Error: DEADCODE (CWE-561):
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_single: Condition request_type == 1U, taking false branch. Now
the value of request_type cannot be equal to 1.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594:
cond_cannot_set: Condition request_type == 3U, taking false branch. Now the
value of request_type cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
cannot_set: At condition request_type == 1U, the value of request_type
cannot be equal to any of {1, 3}.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606:
dead_error_condition: The condition request_type == 1U cannot be true.
freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607:
dead_error_line: Execution cannot reach this statement ret =
pack_ber_sid(sid_str,
See some comments inline.
From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 23 Sep 2014 15:55:43 +0200
Subject: [PATCH] extdom: add support for new version
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.
With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.
https://fedorahosted.org/freeipa/ticket/4031
---
.../ipa-extdom-extop/ipa_extdom.h | 29 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 850
+++--
.../ipa-extdom-extop/ipa_extdom_extop.c| 28 +-
3 files changed, 640 insertions(+), 267 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index
5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -64,6 +64,7 @@
#include sss_nss_idmap.h
#define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4
+#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1
It's a bit odd that this control is called V1 in the SSSD tree and V2 in
the IPA tree. It's not wrong, just strange maybe.
#define IPA_EXTDOM_PLUGIN_NAME ipa-extdom-extop
#define IPA_EXTDOM_FEATURE_DESC IPA trusted domain ID mapper
@@ -71,6 +72,11 @@
#define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME
+enum extdom_version {
+EXTDOM_V1 = 1,
+EXTDOM_V2
+};
+
enum input_types {
INP_SID = 1,
INP_NAME,
@@ -80,14 +86,17 @@ enum input_types {
enum request_types {
REQ_SIMPLE = 1,
-REQ_FULL
+REQ_FULL,
+REQ_FULL_WITH_GROUPS
};
enum response_types {
RESP_SID = 1,
RESP_NAME,
RESP_USER,
-RESP_GROUP
+RESP_GROUP,
+RESP_USER_GROUPLIST,
+RESP_GROUP_MEMBERS
};
struct extdom_req {
@@ -123,11 +132,18 @@ struct extdom_res {
char *user_name;
uid_t uid;
[Freeipa-devel] [PATCH 130] extdom: add support for new version
Hi,
this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and
with the corresponding SSSD part it would be possible to get the full
list of group memberships with the id command even for user who didn't
log in before.
bye,
Sumit
From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Tue, 23 Sep 2014 15:55:43 +0200
Subject: [PATCH] extdom: add support for new version
Currently the extdom plugin is basically used to translate SIDs of AD
users and groups to names and POSIX IDs.
With this patch a new version is added which will return the full member
list for groups and the full list of group memberships for a user.
Additionally the gecos field, the home directory and the login shell of a
user are returned and an optional list of key-value pairs which
currently will contain the SID of the requested object if available.
https://fedorahosted.org/freeipa/ticket/4031
---
.../ipa-extdom-extop/ipa_extdom.h | 29 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 850 +++--
.../ipa-extdom-extop/ipa_extdom_extop.c| 28 +-
3 files changed, 640 insertions(+), 267 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index
5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -64,6 +64,7 @@
#include sss_nss_idmap.h
#define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4
+#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1
#define IPA_EXTDOM_PLUGIN_NAME ipa-extdom-extop
#define IPA_EXTDOM_FEATURE_DESC IPA trusted domain ID mapper
@@ -71,6 +72,11 @@
#define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME
+enum extdom_version {
+EXTDOM_V1 = 1,
+EXTDOM_V2
+};
+
enum input_types {
INP_SID = 1,
INP_NAME,
@@ -80,14 +86,17 @@ enum input_types {
enum request_types {
REQ_SIMPLE = 1,
-REQ_FULL
+REQ_FULL,
+REQ_FULL_WITH_GROUPS
};
enum response_types {
RESP_SID = 1,
RESP_NAME,
RESP_USER,
-RESP_GROUP
+RESP_GROUP,
+RESP_USER_GROUPLIST,
+RESP_GROUP_MEMBERS
};
struct extdom_req {
@@ -123,11 +132,18 @@ struct extdom_res {
char *user_name;
uid_t uid;
gid_t gid;
+char *gecos;
+char *home;
+char *shell;
+size_t ngroups;
+char **groups;
} user;
struct {
char *domain_name;
char *group_name;
gid_t gid;
+size_t nmembers;
+char **members;
} group;
} data;
};
@@ -150,15 +166,14 @@ struct pwd_grp {
struct passwd pwd;
struct group grp;
} data;
+int ngroups;
+gid_t *groups;
};
int parse_request_data(struct berval *req_val, struct extdom_req **_req);
void free_req_data(struct extdom_req *req);
+int check_request(struct extdom_req *req, enum extdom_version version);
int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
- struct extdom_res **res);
-int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
-const char *sid_str, enum sss_id_type id_type,
-const char *domain_name, struct extdom_res **_res);
-void free_resp_data(struct extdom_res *res);
+ struct berval **berval);
int pack_response(struct extdom_res *res, struct berval **ret_val);
#endif /* _IPA_EXTDOM_H_ */
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index
025d37dc5eda05c8db43d4e8176fd7898ed32fe7..5c1ae79c818676c3660d5cd5b8ca5515a4f0f18d
100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -70,6 +70,7 @@ int parse_request_data(struct berval *req_val, struct
extdom_req **_req)
*requestType ENUMERATED {
*simple (1),
*full (2)
+ *full_with_groups (3)
*},
*data InputData
* }
@@ -179,23 +180,23 @@ void free_req_data(struct extdom_req *req)
free(req);
}
-int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
- struct extdom_res **res)
+int check_request(struct extdom_req *req, enum extdom_version version)
+{
+if (version == EXTDOM_V1) {
+if (req-request_type == REQ_FULL_WITH_GROUPS) {
+return LDAP_PROTOCOL_ERROR;
+}
+}
+
+return LDAP_SUCCESS;
+}
+
+static int get_buffer(size_t *_buf_len, char **_buf)
{
-int ret;
-char *domain_name = NULL;
-char *sid_str = NULL;
-size_t buf_len;
-char *buf = NULL;
long pw_max;
long gr_max;
-struct pwd_grp pg_data;
-
