Hi,
memberUid attribute has case-sensitive comparison defined but when we
construct memberUid for AD users (coming through SSSD), they are
normalized to lower case. Interestingly enough, 'uid' attribute has
case-insensitive comparison.
Work around the issue by low-casing the memberUid search term value when
it is a fully-qualified name (user@domain), meaning we do ask for a SSSD
user.
This is the patch on top of my ID views support patch.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
--
/ Alexander Bokovoy
From e90135b7a477d15c4349e7d46e4cbf2730a66d71 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 9 Oct 2014 13:52:38 +0300
Subject: [PATCH 2/2] slapi-nis: normalize memberUid search filter when
searching AD users
memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.
When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.
Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
---
src/back-sch-nss.c | 35 ---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
index 26d4b8c..12ae589 100644
--- a/src/back-sch-nss.c
+++ b/src/back-sch-nss.c
@@ -60,7 +60,7 @@ bvstrprefix(const struct berval *bval, const char *s)
len = strlen(s);
if (len bval-bv_len) {
- return strncasecmp(bval-bv_val, s, len) != 0;
+ return slapi_utf8ncasecmp((unsigned char *) bval-bv_val,
(unsigned char *) s, len) != 0;
}
return 1;
@@ -75,9 +75,9 @@ bvstrcasecmp(const struct berval *bval, const char *s)
len = strlen(s);
if (len == bval-bv_len) {
- return strncasecmp(bval-bv_val, s, len);
+ return slapi_utf8ncasecmp((unsigned char *) bval-bv_val,
(unsigned char *) s, len);
}
- c = strncasecmp(bval-bv_val, s, MIN(bval-bv_len, len));
+ c = slapi_utf8ncasecmp((unsigned char *) bval-bv_val, (unsigned char
*) s, MIN(bval-bv_len, len));
if (c != 0) {
return c;
}
@@ -111,6 +111,35 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter,
void *arg)
} else if (0 == strcasecmp(filter_type, cn)) {
config-name_set = TRUE;
} else if (0 == strcasecmp(filter_type, memberUid)) {
+ /* memberUid is case-sensitive in RFC 2307 but uid is
case-insensitive
+* When memberUid is generated for SSSD-provided
entries, it is low-cased,
+* we need to low case the filter value to actually
match it.
+* However, we will do it only for fully qualified
names as they are coming from SSSD. */
+ char *memberUid = NULL;
+ char *lwMemberUid = NULL;
+ unsigned int i = 0;
+
+ for (i=0; i bval-bv_len ; i++) {
+ if (bval-bv_val[i] == '@')
+ break;
+ }
+
+ if (i bval-bv_len) {
+ memberUid = slapi_ch_malloc(bval-bv_len + 1);
+ if (memberUid != NULL) {
+ memcpy(memberUid, bval-bv_val,
bval-bv_len);
+ memberUid[bval-bv_len] = '\0';
+ lwMemberUid = (char *)
slapi_utf8StrToLower((unsigned char*) memberUid);
+ if (lwMemberUid != NULL) {
+ struct berval bval_lw = {0,
NULL};
+ bval_lw.bv_len = strlen((const
char *) lwMemberUid);
+ bval_lw.bv_val = lwMemberUid;
+ slapi_ber_bvdone(bval);
+ slapi_ber_bvcpy(bval, bval_lw);
+ }
+ slapi_ch_free_string(memberUid);
+ }
+ }
config-name_set = TRUE;
config-search_members = TRUE;
} else if ((0 == strcasecmp(filter_type, objectClass))
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
