[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed

2016-10-14 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/13
Author: celestian
 Title: #13: MEMBEROF: Don't resolve members if they are removed
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/13/head:pr13
git checkout pr13
From 1b5c97c64c7179da8b324c7aa83767484c5c15ee Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 12 Sep 2016 15:18:07 +0200
Subject: [PATCH 1/2] LDAP: Removing of member link from group

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/providers/ldap/sdap_async_groups.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 72760b7..08dfa01 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 size_t nuserdns = 0;
 struct sss_domain_info *group_dom = NULL;
 int ret;
+const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST,
+  NULL};
 
 if (dom->ignore_group_members) {
 DEBUG(SSSDBG_CRIT_FAILURE,
@@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 if (el->num_values == 0 && nuserdns == 0) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "No members for group [%s]\n", group_name);
+
+ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP,
+ discard_const(remove_attrs));
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n");
+goto fail;
+}
 } else {
 DEBUG(SSSDBG_TRACE_FUNC,
   "Adding member users to group [%s]\n", group_name);

From 28467e4330c500d4149135f49e019e1c6a9ee972 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Fri, 9 Sep 2016 06:28:01 +0200
Subject: [PATCH 2/2] TESTS: Adding intg. tests on nested groups

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/tests/intg/test_ldap.py | 157 
 1 file changed, 157 insertions(+)

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 11792f5..7f0b8ff 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes):
   user, domain, extra_attribute)
 
 assert val == given_name
+
+
+@pytest.fixture
+def add_user_to_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_group_bis("group1", 20001, member_uids=["user1"])
+create_ldap_fixture(request, ldap_conn, ent_list)
+create_conf_fixture(request,
+format_rfc2307bis_deref_conf(
+ldap_conn,
+SCHEMA_RFC2307_BIS))
+create_sssd_fixture(request)
+return None
+
+
+def test_add_user_to_group(ldap_conn, add_user_to_group):
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
+ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
+
+
+@pytest.fixture
+def remove_user_from_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_user("user2", 1002, 2002)
+ent_list.add_group_bis("group1", 20001, member_uids=["user1", "user2"])
+create_ldap_fixture(request, ldap_conn, ent_list)
+create_conf_fixture(request,
+format_rfc2307bis_deref_conf(
+ldap_conn,
+SCHEMA_RFC2307_BIS))
+create_sssd_fixture(request)
+return None
+
+
+def test_remove_user_from_group(ldap_conn, remove_user_from_group):
+"""
+Removing two users from group, step by step
+"""
+group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
+
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
+ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
+ent.assert_group_by_name("group1",
+ dict(mem=ent.contains_only("user1", "user2")))
+
+# removing of user2 from group1
+old = {'member': ["uid=user1,ou=Users,dc=example,dc=com",
+  "uid=user2,ou=Users,dc=example,dc=com"]}
+new = {'member': ["uid=user1,ou=Users,dc=example,dc=com"]}
+
+ldif = ldap.modlist.modifyModlist(old, new)
+ldap_conn.modify_s(group1_dn, ldif)
+
+if subprocess.call(["sss_cache", "-GU"]) != 0:
+raise Exception("sssd_cache failed")
+
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
+

[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed

2016-10-14 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/13
Author: celestian
 Title: #13: MEMBEROF: Don't resolve members if they are removed
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/13/head:pr13
git checkout pr13
From 4c1632e15d8a35b8d53401a69ab4e3314769fde0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 12 Sep 2016 15:18:07 +0200
Subject: [PATCH 1/2] LDAP: Removing of member link from group

Co-author: Sumit Bose

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/providers/ldap/sdap_async_groups.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 72760b7..08dfa01 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 size_t nuserdns = 0;
 struct sss_domain_info *group_dom = NULL;
 int ret;
+const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST,
+  NULL};
 
 if (dom->ignore_group_members) {
 DEBUG(SSSDBG_CRIT_FAILURE,
@@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 if (el->num_values == 0 && nuserdns == 0) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "No members for group [%s]\n", group_name);
+
+ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP,
+ discard_const(remove_attrs));
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n");
+goto fail;
+}
 } else {
 DEBUG(SSSDBG_TRACE_FUNC,
   "Adding member users to group [%s]\n", group_name);

From b55cc72f0124105cb043856ad608604a951a98d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Fri, 9 Sep 2016 06:28:01 +0200
Subject: [PATCH 2/2] TESTS: Adding intg. tests on nested groups

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/tests/intg/test_ldap.py | 157 
 1 file changed, 157 insertions(+)

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 11792f5..7f0b8ff 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes):
   user, domain, extra_attribute)
 
 assert val == given_name
+
+
+@pytest.fixture
+def add_user_to_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_group_bis("group1", 20001, member_uids=["user1"])
+create_ldap_fixture(request, ldap_conn, ent_list)
+create_conf_fixture(request,
+format_rfc2307bis_deref_conf(
+ldap_conn,
+SCHEMA_RFC2307_BIS))
+create_sssd_fixture(request)
+return None
+
+
+def test_add_user_to_group(ldap_conn, add_user_to_group):
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
+ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
+
+
+@pytest.fixture
+def remove_user_from_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_user("user2", 1002, 2002)
+ent_list.add_group_bis("group1", 20001, member_uids=["user1", "user2"])
+create_ldap_fixture(request, ldap_conn, ent_list)
+create_conf_fixture(request,
+format_rfc2307bis_deref_conf(
+ldap_conn,
+SCHEMA_RFC2307_BIS))
+create_sssd_fixture(request)
+return None
+
+
+def test_remove_user_from_group(ldap_conn, remove_user_from_group):
+"""
+Removing two users from group, step by step
+"""
+group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn
+
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
+ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002))
+ent.assert_group_by_name("group1",
+ dict(mem=ent.contains_only("user1", "user2")))
+
+# removing of user2 from group1
+old = {'member': ["uid=user1,ou=Users,dc=example,dc=com",
+  "uid=user2,ou=Users,dc=example,dc=com"]}
+new = {'member': ["uid=user1,ou=Users,dc=example,dc=com"]}
+
+ldif = ldap.modlist.modifyModlist(old, new)
+ldap_conn.modify_s(group1_dn, ldif)
+
+if subprocess.call(["sss_cache", "-GU"]) != 0:
+raise Exception("sssd_cache failed")
+
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001,

[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed

2016-09-19 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/13
Author: celestian
 Title: #13: MEMBEROF: Don't resolve members if they are removed
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/13/head:pr13
git checkout pr13
From 1cc2e2dee9cfd25b0c46ffb23abbca41dc22e6ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 31 Aug 2016 12:28:48 +0200
Subject: [PATCH 1/3] MEMBEROF: Don't resolve members if they are removed

If we need remove ghost (SYSDB_GHOST, DB_GHOST) attribute
from group we use empty structure.

This doesn't mean that there is pointer to NULL but
it means that there is zero elements.
Ghost attribute is array not string.

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/ldb_modules/memberof.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/ldb_modules/memberof.c b/src/ldb_modules/memberof.c
index af7147e..b50127d 100644
--- a/src/ldb_modules/memberof.c
+++ b/src/ldb_modules/memberof.c
@@ -2920,7 +2920,8 @@ static int memberof_mod(struct ldb_module *module, struct ldb_request *req)
 mod_ctx->ghel = ldb_msg_find_element(mod_ctx->msg, DB_GHOST);
 
 /* continue with normal ops if there are no members and no ghosts */
-if (mod_ctx->membel == NULL && mod_ctx->ghel == NULL) {
+if (mod_ctx->membel == NULL &&
+(mod_ctx->ghel == NULL || mod_ctx->ghel->num_values == 0)) {
 mod_ctx->terminate = true;
 return mbof_orig_mod(mod_ctx);
 }

From e39a8829f115b6ad5f185d6ef8b2332df55b91c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 12 Sep 2016 15:18:07 +0200
Subject: [PATCH 2/3] LDAP: Removing of member link from group

Co-author: Sumit Bose

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/providers/ldap/sdap_async_groups.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 72760b7..08dfa01 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 size_t nuserdns = 0;
 struct sss_domain_info *group_dom = NULL;
 int ret;
+const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST,
+  NULL};
 
 if (dom->ignore_group_members) {
 DEBUG(SSSDBG_CRIT_FAILURE,
@@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 if (el->num_values == 0 && nuserdns == 0) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "No members for group [%s]\n", group_name);
+
+ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP,
+ discard_const(remove_attrs));
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n");
+goto fail;
+}
 } else {
 DEBUG(SSSDBG_TRACE_FUNC,
   "Adding member users to group [%s]\n", group_name);

From 5d990f9341696ed38126fb2ed6a31e311c77c520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Fri, 9 Sep 2016 06:28:01 +0200
Subject: [PATCH 3/3] TESTS: Adding intg. tests on nested groups

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/tests/intg/test_ldap.py | 157 
 1 file changed, 157 insertions(+)

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 11792f5..7f0b8ff 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes):
   user, domain, extra_attribute)
 
 assert val == given_name
+
+
+@pytest.fixture
+def add_user_to_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_group_bis("group1", 20001, member_uids=["user1"])
+create_ldap_fixture(request, ldap_conn, ent_list)
+create_conf_fixture(request,
+format_rfc2307bis_deref_conf(
+ldap_conn,
+SCHEMA_RFC2307_BIS))
+create_sssd_fixture(request)
+return None
+
+
+def test_add_user_to_group(ldap_conn, add_user_to_group):
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
+ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
+
+
+@pytest.fixture
+def remove_user_from_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_user("user2", 1002, 2002)
+ent_list.add_group_bis("group1", 20001, member_uids=["user1", "user2"])
+

[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed

2016-09-19 Thread celestian 
   URL: https://github.com/SSSD/sssd/pull/13
Author: celestian
 Title: #13: MEMBEROF: Don't resolve members if they are removed
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/13/head:pr13
git checkout pr13
From 10b3a126e098a061212fcebde4f2506e6198d889 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Wed, 31 Aug 2016 12:28:48 +0200
Subject: [PATCH 1/3] MEMBEROF: Don't resolve members if they are removed

If we need remove ghost (SYSDB_GHOST, DB_GHOST) attribute
from group we use empty structure.

This doesn't mean that there is pointer to NULL but
it means that there is zero elements.
Ghost attribute is array not string.

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/ldb_modules/memberof.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/ldb_modules/memberof.c b/src/ldb_modules/memberof.c
index af7147e..af42c72 100644
--- a/src/ldb_modules/memberof.c
+++ b/src/ldb_modules/memberof.c
@@ -2920,7 +2920,9 @@ static int memberof_mod(struct ldb_module *module, struct ldb_request *req)
 mod_ctx->ghel = ldb_msg_find_element(mod_ctx->msg, DB_GHOST);
 
 /* continue with normal ops if there are no members and no ghosts */
-if (mod_ctx->membel == NULL && mod_ctx->ghel == NULL) {
+if ((mod_ctx->membel == NULL && mod_ctx->ghel == NULL) ||
+(mod_ctx->membel == NULL && mod_ctx->ghel != NULL &&
+ mod_ctx->ghel->num_values == 0)) {
 mod_ctx->terminate = true;
 return mbof_orig_mod(mod_ctx);
 }

From 216bf7c1556ee5c12a3f263a817f33674610 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 12 Sep 2016 15:18:07 +0200
Subject: [PATCH 2/3] LDAP: Removing of member link from group

Co-author: Sumit Bose

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/providers/ldap/sdap_async_groups.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index 72760b7..08dfa01 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 size_t nuserdns = 0;
 struct sss_domain_info *group_dom = NULL;
 int ret;
+const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST,
+  NULL};
 
 if (dom->ignore_group_members) {
 DEBUG(SSSDBG_CRIT_FAILURE,
@@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx,
 if (el->num_values == 0 && nuserdns == 0) {
 DEBUG(SSSDBG_TRACE_FUNC,
   "No members for group [%s]\n", group_name);
+
+ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP,
+ discard_const(remove_attrs));
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n");
+goto fail;
+}
 } else {
 DEBUG(SSSDBG_TRACE_FUNC,
   "Adding member users to group [%s]\n", group_name);

From ea685ea0bf71c3a350fb709d41b01068e948839a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Fri, 9 Sep 2016 06:28:01 +0200
Subject: [PATCH 3/3] TESTS: Adding intg. tests on nested groups

Resolves:
https://fedorahosted.org/sssd/ticket/2940
---
 src/tests/intg/test_ldap.py | 157 
 1 file changed, 157 insertions(+)

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
index 11792f5..7f0b8ff 100644
--- a/src/tests/intg/test_ldap.py
+++ b/src/tests/intg/test_ldap.py
@@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes):
   user, domain, extra_attribute)
 
 assert val == given_name
+
+
+@pytest.fixture
+def add_user_to_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_group_bis("group1", 20001, member_uids=["user1"])
+create_ldap_fixture(request, ldap_conn, ent_list)
+create_conf_fixture(request,
+format_rfc2307bis_deref_conf(
+ldap_conn,
+SCHEMA_RFC2307_BIS))
+create_sssd_fixture(request)
+return None
+
+
+def test_add_user_to_group(ldap_conn, add_user_to_group):
+ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001))
+ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1")))
+
+
+@pytest.fixture
+def remove_user_from_group(request, ldap_conn):
+"""
+Adding user to group
+"""
+ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
+ent_list.add_user("user1", 1001, 2001)
+ent_list.add_user("user2", 1002, 2002)
+