Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On 09/29/2014 07:01 PM, Jakub Hrozek wrote: On Mon, Sep 29, 2014 at 06:16:30PM +0200, Sumit Bose wrote: Hi, Jakub found another issue which is fixed with this new version. bye, Sumit and now with patch ... Thank you, ACK Pushed to: master: 3c75b9171e5721097f6ba2855e41f0e4129b907b ipa-4-1: 2006d8759b767364031052480a3fc8947dea0998 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Thu, Sep 25, 2014 at 01:46:00PM +0200, Sumit Bose wrote: On Wed, Sep 24, 2014 at 03:23:54PM +0200, Jakub Hrozek wrote: On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote: Hi, this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and with the corresponding SSSD part it would be possible to get the full list of group memberships with the id command even for user who didn't log in before. bye, Sumit So far I only read the patch, no testing was done yet (I'm installing a separate VM where I'll keep this new plugin for easy comparison and backwards-compatibility testing) Thank you for the review, please see comments below. First, there are some Coverity warnings: Error: USE_AFTER_FREE (CWE-825): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242: alias: Assigning: groups = new_groups. Now both point to the same storage. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246: freed_arg: free(void *) frees groups. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252: use_after_free: Using freed pointer groups. fixed Error: CONSTANT_EXPRESSION_RESULT (CWE-398): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596: missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true regardless of the values of its operands. Did you intend to either negate the entire comparison expression, in which case parentheses would be required around the entire comparison expression to force that interpretation, or negate the sense of the comparison (that is, use '==' rather than '!=')? This occurs as the logical second operand of '||'. fixed Error: DEADCODE (CWE-561): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_single: Condition request_type == 1U, taking false branch. Now the value of request_type cannot be equal to 1. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_set: Condition request_type == 3U, taking false branch. Now the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: cannot_set: At condition request_type == 1U, the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: dead_error_condition: The condition request_type == 1U cannot be true. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607: dead_error_line: Execution cannot reach this statement ret = pack_ber_sid(sid_str, I thik this is a result of the CONSTANT_EXPRESSION_RESULT issue, since I fixed it this warning should be gone as well. See some comments inline. From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 23 Sep 2014 15:55:43 +0200 Subject: [PATCH] extdom: add support for new version Currently the extdom plugin is basically used to translate SIDs of AD users and groups to names and POSIX IDs. With this patch a new version is added which will return the full member list for groups and the full list of group memberships for a user. Additionally the gecos field, the home directory and the login shell of a user are returned and an optional list of key-value pairs which currently will contain the SID of the requested object if available. https://fedorahosted.org/freeipa/ticket/4031 --- .../ipa-extdom-extop/ipa_extdom.h | 29 +- .../ipa-extdom-extop/ipa_extdom_common.c | 850 +++-- .../ipa-extdom-extop/ipa_extdom_extop.c| 28 +- 3 files changed, 640 insertions(+), 267 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -64,6 +64,7 @@ #include sss_nss_idmap.h #define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4 +#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1 It's a bit odd that this control is called V1 in the SSSD tree and V2 in the IPA tree. It's not wrong, just strange maybe. you are right, I renamed the versions here. -int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, - struct extdom_res **res) +int check_request(struct extdom_req *req, enum extdom_version version) +{
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Mon, Sep 29, 2014 at 06:15:21PM +0200, Sumit Bose wrote: On Thu, Sep 25, 2014 at 01:46:00PM +0200, Sumit Bose wrote: On Wed, Sep 24, 2014 at 03:23:54PM +0200, Jakub Hrozek wrote: On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote: Hi, this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and with the corresponding SSSD part it would be possible to get the full list of group memberships with the id command even for user who didn't log in before. bye, Sumit So far I only read the patch, no testing was done yet (I'm installing a separate VM where I'll keep this new plugin for easy comparison and backwards-compatibility testing) Thank you for the review, please see comments below. First, there are some Coverity warnings: Error: USE_AFTER_FREE (CWE-825): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242: alias: Assigning: groups = new_groups. Now both point to the same storage. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246: freed_arg: free(void *) frees groups. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252: use_after_free: Using freed pointer groups. fixed Error: CONSTANT_EXPRESSION_RESULT (CWE-398): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596: missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true regardless of the values of its operands. Did you intend to either negate the entire comparison expression, in which case parentheses would be required around the entire comparison expression to force that interpretation, or negate the sense of the comparison (that is, use '==' rather than '!=')? This occurs as the logical second operand of '||'. fixed Error: DEADCODE (CWE-561): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_single: Condition request_type == 1U, taking false branch. Now the value of request_type cannot be equal to 1. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_set: Condition request_type == 3U, taking false branch. Now the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: cannot_set: At condition request_type == 1U, the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: dead_error_condition: The condition request_type == 1U cannot be true. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607: dead_error_line: Execution cannot reach this statement ret = pack_ber_sid(sid_str, I thik this is a result of the CONSTANT_EXPRESSION_RESULT issue, since I fixed it this warning should be gone as well. See some comments inline. From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 23 Sep 2014 15:55:43 +0200 Subject: [PATCH] extdom: add support for new version Currently the extdom plugin is basically used to translate SIDs of AD users and groups to names and POSIX IDs. With this patch a new version is added which will return the full member list for groups and the full list of group memberships for a user. Additionally the gecos field, the home directory and the login shell of a user are returned and an optional list of key-value pairs which currently will contain the SID of the requested object if available. https://fedorahosted.org/freeipa/ticket/4031 --- .../ipa-extdom-extop/ipa_extdom.h | 29 +- .../ipa-extdom-extop/ipa_extdom_common.c | 850 +++-- .../ipa-extdom-extop/ipa_extdom_extop.c| 28 +- 3 files changed, 640 insertions(+), 267 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -64,6 +64,7 @@ #include sss_nss_idmap.h #define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4 +#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1 It's a bit odd that this control is called V1 in the SSSD tree and V2 in the IPA tree. It's not wrong, just strange maybe. you are right, I renamed the versions here. -int handle_request(struct
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Mon, Sep 29, 2014 at 06:16:30PM +0200, Sumit Bose wrote: Hi, Jakub found another issue which is fixed with this new version. bye, Sumit and now with patch ... Thank you, ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Wed, Sep 24, 2014 at 03:23:54PM +0200, Jakub Hrozek wrote: On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote: Hi, this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and with the corresponding SSSD part it would be possible to get the full list of group memberships with the id command even for user who didn't log in before. bye, Sumit So far I only read the patch, no testing was done yet (I'm installing a separate VM where I'll keep this new plugin for easy comparison and backwards-compatibility testing) Thank you for the review, please see comments below. First, there are some Coverity warnings: Error: USE_AFTER_FREE (CWE-825): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242: alias: Assigning: groups = new_groups. Now both point to the same storage. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246: freed_arg: free(void *) frees groups. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252: use_after_free: Using freed pointer groups. fixed Error: CONSTANT_EXPRESSION_RESULT (CWE-398): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596: missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true regardless of the values of its operands. Did you intend to either negate the entire comparison expression, in which case parentheses would be required around the entire comparison expression to force that interpretation, or negate the sense of the comparison (that is, use '==' rather than '!=')? This occurs as the logical second operand of '||'. fixed Error: DEADCODE (CWE-561): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_single: Condition request_type == 1U, taking false branch. Now the value of request_type cannot be equal to 1. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_set: Condition request_type == 3U, taking false branch. Now the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: cannot_set: At condition request_type == 1U, the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: dead_error_condition: The condition request_type == 1U cannot be true. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607: dead_error_line: Execution cannot reach this statement ret = pack_ber_sid(sid_str, I thik this is a result of the CONSTANT_EXPRESSION_RESULT issue, since I fixed it this warning should be gone as well. See some comments inline. From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 23 Sep 2014 15:55:43 +0200 Subject: [PATCH] extdom: add support for new version Currently the extdom plugin is basically used to translate SIDs of AD users and groups to names and POSIX IDs. With this patch a new version is added which will return the full member list for groups and the full list of group memberships for a user. Additionally the gecos field, the home directory and the login shell of a user are returned and an optional list of key-value pairs which currently will contain the SID of the requested object if available. https://fedorahosted.org/freeipa/ticket/4031 --- .../ipa-extdom-extop/ipa_extdom.h | 29 +- .../ipa-extdom-extop/ipa_extdom_common.c | 850 +++-- .../ipa-extdom-extop/ipa_extdom_extop.c| 28 +- 3 files changed, 640 insertions(+), 267 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -64,6 +64,7 @@ #include sss_nss_idmap.h #define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4 +#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1 It's a bit odd that this control is called V1 in the SSSD tree and V2 in the IPA tree. It's not wrong, just strange maybe. you are right, I renamed the versions here. -int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, - struct extdom_res **res) +int check_request(struct extdom_req *req, enum extdom_version version) +{ +if (version == EXTDOM_V1) { +if (req-request_type == REQ_FULL_WITH_GROUPS) { +return LDAP_PROTOCOL_ERROR; +} +} Any
Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version
On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote: Hi, this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and with the corresponding SSSD part it would be possible to get the full list of group memberships with the id command even for user who didn't log in before. bye, Sumit So far I only read the patch, no testing was done yet (I'm installing a separate VM where I'll keep this new plugin for easy comparison and backwards-compatibility testing) First, there are some Coverity warnings: Error: USE_AFTER_FREE (CWE-825): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:242: alias: Assigning: groups = new_groups. Now both point to the same storage. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:246: freed_arg: free(void *) frees groups. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:252: use_after_free: Using freed pointer groups. Error: CONSTANT_EXPRESSION_RESULT (CWE-398): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:596: missing_parentheses: !id_type != SSS_ID_TYPE_GID is always true regardless of the values of its operands. Did you intend to either negate the entire comparison expression, in which case parentheses would be required around the entire comparison expression to force that interpretation, or negate the sense of the comparison (that is, use '==' rather than '!=')? This occurs as the logical second operand of '||'. Error: DEADCODE (CWE-561): freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_single: Condition request_type == 1U, taking false branch. Now the value of request_type cannot be equal to 1. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:594: cond_cannot_set: Condition request_type == 3U, taking false branch. Now the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: cannot_set: At condition request_type == 1U, the value of request_type cannot be equal to any of {1, 3}. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:606: dead_error_condition: The condition request_type == 1U cannot be true. freeipa-4.0.0GIT2563ea2/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c:607: dead_error_line: Execution cannot reach this statement ret = pack_ber_sid(sid_str, See some comments inline. From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 23 Sep 2014 15:55:43 +0200 Subject: [PATCH] extdom: add support for new version Currently the extdom plugin is basically used to translate SIDs of AD users and groups to names and POSIX IDs. With this patch a new version is added which will return the full member list for groups and the full list of group memberships for a user. Additionally the gecos field, the home directory and the login shell of a user are returned and an optional list of key-value pairs which currently will contain the SID of the requested object if available. https://fedorahosted.org/freeipa/ticket/4031 --- .../ipa-extdom-extop/ipa_extdom.h | 29 +- .../ipa-extdom-extop/ipa_extdom_common.c | 850 +++-- .../ipa-extdom-extop/ipa_extdom_extop.c| 28 +- 3 files changed, 640 insertions(+), 267 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -64,6 +64,7 @@ #include sss_nss_idmap.h #define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4 +#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1 It's a bit odd that this control is called V1 in the SSSD tree and V2 in the IPA tree. It's not wrong, just strange maybe. #define IPA_EXTDOM_PLUGIN_NAME ipa-extdom-extop #define IPA_EXTDOM_FEATURE_DESC IPA trusted domain ID mapper @@ -71,6 +72,11 @@ #define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME +enum extdom_version { +EXTDOM_V1 = 1, +EXTDOM_V2 +}; + enum input_types { INP_SID = 1, INP_NAME, @@ -80,14 +86,17 @@ enum input_types { enum request_types { REQ_SIMPLE = 1, -REQ_FULL +REQ_FULL, +REQ_FULL_WITH_GROUPS }; enum response_types { RESP_SID = 1, RESP_NAME, RESP_USER, -RESP_GROUP +RESP_GROUP, +RESP_USER_GROUPLIST, +RESP_GROUP_MEMBERS }; struct extdom_req { @@ -123,11 +132,18 @@ struct extdom_res { char *user_name; uid_t uid;
[Freeipa-devel] [PATCH 130] extdom: add support for new version
Hi, this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and with the corresponding SSSD part it would be possible to get the full list of group memberships with the id command even for user who didn't log in before. bye, Sumit From 23ff38cdea85995b211e73f474bcb4b0d7fb8039 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 23 Sep 2014 15:55:43 +0200 Subject: [PATCH] extdom: add support for new version Currently the extdom plugin is basically used to translate SIDs of AD users and groups to names and POSIX IDs. With this patch a new version is added which will return the full member list for groups and the full list of group memberships for a user. Additionally the gecos field, the home directory and the login shell of a user are returned and an optional list of key-value pairs which currently will contain the SID of the requested object if available. https://fedorahosted.org/freeipa/ticket/4031 --- .../ipa-extdom-extop/ipa_extdom.h | 29 +- .../ipa-extdom-extop/ipa_extdom_common.c | 850 +++-- .../ipa-extdom-extop/ipa_extdom_extop.c| 28 +- 3 files changed, 640 insertions(+), 267 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 5f834a047a579104cd2589ce417c580c1c5388d3..548ee74f561c474854c049726c4c3e71da5cbbea 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -64,6 +64,7 @@ #include sss_nss_idmap.h #define EXOP_EXTDOM_OID 2.16.840.1.113730.3.8.10.4 +#define EXOP_EXTDOM_V2_OID 2.16.840.1.113730.3.8.10.4.1 #define IPA_EXTDOM_PLUGIN_NAME ipa-extdom-extop #define IPA_EXTDOM_FEATURE_DESC IPA trusted domain ID mapper @@ -71,6 +72,11 @@ #define IPA_PLUGIN_NAME IPA_EXTDOM_PLUGIN_NAME +enum extdom_version { +EXTDOM_V1 = 1, +EXTDOM_V2 +}; + enum input_types { INP_SID = 1, INP_NAME, @@ -80,14 +86,17 @@ enum input_types { enum request_types { REQ_SIMPLE = 1, -REQ_FULL +REQ_FULL, +REQ_FULL_WITH_GROUPS }; enum response_types { RESP_SID = 1, RESP_NAME, RESP_USER, -RESP_GROUP +RESP_GROUP, +RESP_USER_GROUPLIST, +RESP_GROUP_MEMBERS }; struct extdom_req { @@ -123,11 +132,18 @@ struct extdom_res { char *user_name; uid_t uid; gid_t gid; +char *gecos; +char *home; +char *shell; +size_t ngroups; +char **groups; } user; struct { char *domain_name; char *group_name; gid_t gid; +size_t nmembers; +char **members; } group; } data; }; @@ -150,15 +166,14 @@ struct pwd_grp { struct passwd pwd; struct group grp; } data; +int ngroups; +gid_t *groups; }; int parse_request_data(struct berval *req_val, struct extdom_req **_req); void free_req_data(struct extdom_req *req); +int check_request(struct extdom_req *req, enum extdom_version version); int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, - struct extdom_res **res); -int create_response(struct extdom_req *req, struct pwd_grp *pg_data, -const char *sid_str, enum sss_id_type id_type, -const char *domain_name, struct extdom_res **_res); -void free_resp_data(struct extdom_res *res); + struct berval **berval); int pack_response(struct extdom_res *res, struct berval **ret_val); #endif /* _IPA_EXTDOM_H_ */ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 025d37dc5eda05c8db43d4e8176fd7898ed32fe7..5c1ae79c818676c3660d5cd5b8ca5515a4f0f18d 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -70,6 +70,7 @@ int parse_request_data(struct berval *req_val, struct extdom_req **_req) *requestType ENUMERATED { *simple (1), *full (2) + *full_with_groups (3) *}, *data InputData * } @@ -179,23 +180,23 @@ void free_req_data(struct extdom_req *req) free(req); } -int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req, - struct extdom_res **res) +int check_request(struct extdom_req *req, enum extdom_version version) +{ +if (version == EXTDOM_V1) { +if (req-request_type == REQ_FULL_WITH_GROUPS) { +return LDAP_PROTOCOL_ERROR; +} +} + +return LDAP_SUCCESS; +} + +static int get_buffer(size_t *_buf_len, char **_buf) { -int ret; -char *domain_name = NULL; -char *sid_str = NULL; -size_t buf_len; -char *buf = NULL; long pw_max; long gr_max; -struct pwd_grp pg_data; -