URL: https://github.com/SSSD/sssd/pull/850 Author: pbrezina Title: #850: sudo: use proper datetime for default modifyTimestamp value Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/850/head:pr850 git checkout pr850
From 756ae9d4ee36744b91ad9a5e076a3e4c96bec5f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Wed, 17 Jul 2019 11:57:23 +0200 Subject: [PATCH] sudo: use proper datetime for default modifyTimestamp value The current default was simply "1", however OpenLDAP server was unable to compare modifyTimestamp attribute to simple number. A proper datetime is required by OpenLDAP. It worked correctly on 389-ds. Steps to reproduce: 1. install openldap server 2. run sssd 3. there are no sudo rules on the server and there are no cached objects 4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value) The minimum accepted value by OpenLDAP is 00000101000000Z, as both month and day can not be zero. Resolves: https://pagure.io/SSSD/sssd/issue/4046 --- src/providers/ldap/sdap_sudo_shared.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c index a00d8e6a92..251584024c 100644 --- a/src/providers/ldap/sdap_sudo_shared.c +++ b/src/providers/ldap/sdap_sudo_shared.c @@ -127,11 +127,24 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx, static char * sdap_sudo_new_usn(TALLOC_CTX *mem_ctx, unsigned long usn, - const char *leftover) + const char *leftover, + bool supports_usn) { const char *str = leftover == NULL ? "" : leftover; char *newusn; + /* This is a fresh start and server uses modifyTimestamp. We need to + * provide proper datetime value. */ + if (!supports_usn && usn == 0) { + newusn = talloc_strdup(mem_ctx, "00000101000000Z"); + if (newusn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n"); + return NULL; + } + + return newusn; + } + /* We increment USN number so that we can later use simplify filter * (just usn >= last+1 instead of usn >= last && usn != last). */ @@ -182,7 +195,8 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, srv_opts->last_usn = usn_number; } - newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr); + newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr, + srv_opts->supports_usn); if (newusn == NULL) { return; }
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org