On Wed, 29 Oct 2014, thierry bordaz wrote:
The patches fixed the test case in
https://bugzilla.redhat.com/show_bug.cgi?id=1157989.
Few comments regarding the patch:
* in backend_search_cb, it checks if the search is in one of the
container. We need that cbdata.answer=FALSE at the end of the checking.
Why not setting it systematically at the end.
I've moved it to the end of the block.
* in backend_locate, 'target' is a duplicate of cbdata.target. But
then when calling idview_replace_target_dn it may be changed.
Will not it lead to a leak ?
Good catch, thanks!
Fixed version attached.
--
/ Alexander Bokovoy
From 79391fda05fba164af577bd0e08a2807643b7b48 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 28 Oct 2014 10:09:47 +0200
Subject: [PATCH 1/2] ID views: ignore searches for views outside the subtrees
of schema-compat sets
schema-compat plugin may provide multiple disjoint subtrees which
can be used to request overridden entries by prefixing the subtree
suffix with a
cn=,cn=views,
As subtrees may be disjoint, we cannot rely on the common suffix. Thus,
any attempt to replace target DN and update filter terms must only be
done once we are sure the search will be done in the subtree.
This optimization prevents mistakenly changing the search filter when
FreeIPA and SSSD search for the ID overrides themselves, as the same
structure of the target DN is used for cn=views,cn=accounts,$SUFFIX
subtree in FreeIPA. This subtree is never handled by slapi-nis and
should be ignored.
https://bugzilla.redhat.com/show_bug.cgi?id=1157989
---
src/back-sch-idview.c | 11 +--
src/back-sch.c| 81 +--
2 files changed, 81 insertions(+), 11 deletions(-)
diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c
index 5a2b450..a56a9e9 100644
--- a/src/back-sch-idview.c
+++ b/src/back-sch-idview.c
@@ -334,6 +334,10 @@ idview_process_filter_cb(Slapi_Filter *filter, const char
*filter_type, struct b
slapi_ber_bvdone(bval);
slapi_ber_bvcpy(bval,
slapi_value_get_berval(anchor_val));
config->override_found = TRUE;
+
slapi_log_error(SLAPI_LOG_PLUGIN, cbdata->state->plugin_desc->spd_id,
+ "Overriding the
filter %s with %s=%*s from the override %s\n.",
+ filter_type,
filter_type, bval->bv_len, bval->bv_val,
+
slapi_entry_get_dn_const(cbdata->overrides[i]));
break;
}
}
@@ -346,6 +350,11 @@ idview_process_filter_cb(Slapi_Filter *filter, const char
*filter_type, struct b
slapi_ber_bvdone(bval);
slapi_ber_bvcpy(bval,
slapi_value_get_berval(anchor_val));
config->override_found = TRUE;
+ slapi_log_error(SLAPI_LOG_PLUGIN,
cbdata->state->plugin_desc->spd_id,
+ "Overriding the filter
%s with %s=%*s from the override %s\n.",
+ filter_type,
IPA_IDVIEWS_ATTR_ANCHORUUID,
+ bval->bv_len,
bval->bv_val,
+
slapi_entry_get_dn_const(cbdata->overrides[i]));
break;
}
@@ -366,8 +375,6 @@ idview_process_filter_cb(Slapi_Filter *filter, const char
*filter_type, struct b
*
* Note that in reality we don't use original value of the uid/cn attribue.
Instead, we use ipaAnchorUUID
* to refer to the original entry. */
-extern char *
-slapi_filter_to_string( const struct slapi_filter *f, char *buf, size_t
bufsize );
void
idview_replace_filter(struct backend_search_cbdata *cbdata)
{
diff --git a/src/back-sch.c b/src/back-sch.c
index 27d5101..27ac24f 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -1166,6 +1166,44 @@ backend_search_set_cb(const char *group, const char
*set, bool_t flag,
return TRUE;
}
+/* Routines to search if a target DN is within any of the sets we handle */
+static bool_t
+backend_search_find_set_dn_in_group_cb(const char *group, const char *set,
bool_t flag,
+void *backend_data, void *cb_data)
+{
+ struct backend_search_cbdata *cbdata;
+ struct backend_set_data *set_data;
+
+ cbdata = cb_data;
+ set_data = backend_data;
+
+ if (slapi_sdn_scope_test(cbdata->target_dn,
+set_data->container_sd