[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed
URL: https://github.com/SSSD/sssd/pull/13 Author: celestian Title: #13: MEMBEROF: Don't resolve members if they are removed Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/13/head:pr13 git checkout pr13 From 1b5c97c64c7179da8b324c7aa83767484c5c15ee Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Mon, 12 Sep 2016 15:18:07 +0200 Subject: [PATCH 1/2] LDAP: Removing of member link from group Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/providers/ldap/sdap_async_groups.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 72760b7..08dfa01 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, size_t nuserdns = 0; struct sss_domain_info *group_dom = NULL; int ret; +const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST, + NULL}; if (dom->ignore_group_members) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, if (el->num_values == 0 && nuserdns == 0) { DEBUG(SSSDBG_TRACE_FUNC, "No members for group [%s]\n", group_name); + +ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP, + discard_const(remove_attrs)); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); +goto fail; +} } else { DEBUG(SSSDBG_TRACE_FUNC, "Adding member users to group [%s]\n", group_name); From 28467e4330c500d4149135f49e019e1c6a9ee972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Fri, 9 Sep 2016 06:28:01 +0200 Subject: [PATCH 2/2] TESTS: Adding intg. tests on nested groups Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/tests/intg/test_ldap.py | 157 1 file changed, 157 insertions(+) diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 11792f5..7f0b8ff 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes): user, domain, extra_attribute) assert val == given_name + + +@pytest.fixture +def add_user_to_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_group_bis("group1", 20001, member_uids=["user1"]) +create_ldap_fixture(request, ldap_conn, ent_list) +create_conf_fixture(request, +format_rfc2307bis_deref_conf( +ldap_conn, +SCHEMA_RFC2307_BIS)) +create_sssd_fixture(request) +return None + + +def test_add_user_to_group(ldap_conn, add_user_to_group): +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) +ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1"))) + + +@pytest.fixture +def remove_user_from_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_user("user2", 1002, 2002) +ent_list.add_group_bis("group1", 20001, member_uids=["user1", "user2"]) +create_ldap_fixture(request, ldap_conn, ent_list) +create_conf_fixture(request, +format_rfc2307bis_deref_conf( +ldap_conn, +SCHEMA_RFC2307_BIS)) +create_sssd_fixture(request) +return None + + +def test_remove_user_from_group(ldap_conn, remove_user_from_group): +""" +Removing two users from group, step by step +""" +group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn + +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) +ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) +ent.assert_group_by_name("group1", + dict(mem=ent.contains_only("user1", "user2"))) + +# removing of user2 from group1 +old = {'member': ["uid=user1,ou=Users,dc=example,dc=com", + "uid=user2,ou=Users,dc=example,dc=com"]} +new = {'member': ["uid=user1,ou=Users,dc=example,dc=com"]} + +ldif = ldap.modlist.modifyModlist(old, new) +ldap_conn.modify_s(group1_dn, ldif) + +if subprocess.call(["sss_cache", "-GU"]) != 0: +raise Exception("sssd_cache failed") + +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) +
[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed
URL: https://github.com/SSSD/sssd/pull/13 Author: celestian Title: #13: MEMBEROF: Don't resolve members if they are removed Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/13/head:pr13 git checkout pr13 From 4c1632e15d8a35b8d53401a69ab4e3314769fde0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?=Date: Mon, 12 Sep 2016 15:18:07 +0200 Subject: [PATCH 1/2] LDAP: Removing of member link from group Co-author: Sumit Bose Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/providers/ldap/sdap_async_groups.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 72760b7..08dfa01 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, size_t nuserdns = 0; struct sss_domain_info *group_dom = NULL; int ret; +const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST, + NULL}; if (dom->ignore_group_members) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, if (el->num_values == 0 && nuserdns == 0) { DEBUG(SSSDBG_TRACE_FUNC, "No members for group [%s]\n", group_name); + +ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP, + discard_const(remove_attrs)); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); +goto fail; +} } else { DEBUG(SSSDBG_TRACE_FUNC, "Adding member users to group [%s]\n", group_name); From b55cc72f0124105cb043856ad608604a951a98d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Fri, 9 Sep 2016 06:28:01 +0200 Subject: [PATCH 2/2] TESTS: Adding intg. tests on nested groups Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/tests/intg/test_ldap.py | 157 1 file changed, 157 insertions(+) diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 11792f5..7f0b8ff 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes): user, domain, extra_attribute) assert val == given_name + + +@pytest.fixture +def add_user_to_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_group_bis("group1", 20001, member_uids=["user1"]) +create_ldap_fixture(request, ldap_conn, ent_list) +create_conf_fixture(request, +format_rfc2307bis_deref_conf( +ldap_conn, +SCHEMA_RFC2307_BIS)) +create_sssd_fixture(request) +return None + + +def test_add_user_to_group(ldap_conn, add_user_to_group): +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) +ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1"))) + + +@pytest.fixture +def remove_user_from_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_user("user2", 1002, 2002) +ent_list.add_group_bis("group1", 20001, member_uids=["user1", "user2"]) +create_ldap_fixture(request, ldap_conn, ent_list) +create_conf_fixture(request, +format_rfc2307bis_deref_conf( +ldap_conn, +SCHEMA_RFC2307_BIS)) +create_sssd_fixture(request) +return None + + +def test_remove_user_from_group(ldap_conn, remove_user_from_group): +""" +Removing two users from group, step by step +""" +group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn + +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) +ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) +ent.assert_group_by_name("group1", + dict(mem=ent.contains_only("user1", "user2"))) + +# removing of user2 from group1 +old = {'member': ["uid=user1,ou=Users,dc=example,dc=com", + "uid=user2,ou=Users,dc=example,dc=com"]} +new = {'member': ["uid=user1,ou=Users,dc=example,dc=com"]} + +ldif = ldap.modlist.modifyModlist(old, new) +ldap_conn.modify_s(group1_dn, ldif) + +if subprocess.call(["sss_cache", "-GU"]) != 0: +raise Exception("sssd_cache failed") + +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001,
[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed
URL: https://github.com/SSSD/sssd/pull/13 Author: celestian Title: #13: MEMBEROF: Don't resolve members if they are removed Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/13/head:pr13 git checkout pr13 From 1cc2e2dee9cfd25b0c46ffb23abbca41dc22e6ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?=Date: Wed, 31 Aug 2016 12:28:48 +0200 Subject: [PATCH 1/3] MEMBEROF: Don't resolve members if they are removed If we need remove ghost (SYSDB_GHOST, DB_GHOST) attribute from group we use empty structure. This doesn't mean that there is pointer to NULL but it means that there is zero elements. Ghost attribute is array not string. Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/ldb_modules/memberof.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ldb_modules/memberof.c b/src/ldb_modules/memberof.c index af7147e..b50127d 100644 --- a/src/ldb_modules/memberof.c +++ b/src/ldb_modules/memberof.c @@ -2920,7 +2920,8 @@ static int memberof_mod(struct ldb_module *module, struct ldb_request *req) mod_ctx->ghel = ldb_msg_find_element(mod_ctx->msg, DB_GHOST); /* continue with normal ops if there are no members and no ghosts */ -if (mod_ctx->membel == NULL && mod_ctx->ghel == NULL) { +if (mod_ctx->membel == NULL && +(mod_ctx->ghel == NULL || mod_ctx->ghel->num_values == 0)) { mod_ctx->terminate = true; return mbof_orig_mod(mod_ctx); } From e39a8829f115b6ad5f185d6ef8b2332df55b91c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Mon, 12 Sep 2016 15:18:07 +0200 Subject: [PATCH 2/3] LDAP: Removing of member link from group Co-author: Sumit Bose Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/providers/ldap/sdap_async_groups.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 72760b7..08dfa01 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, size_t nuserdns = 0; struct sss_domain_info *group_dom = NULL; int ret; +const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST, + NULL}; if (dom->ignore_group_members) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, if (el->num_values == 0 && nuserdns == 0) { DEBUG(SSSDBG_TRACE_FUNC, "No members for group [%s]\n", group_name); + +ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP, + discard_const(remove_attrs)); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); +goto fail; +} } else { DEBUG(SSSDBG_TRACE_FUNC, "Adding member users to group [%s]\n", group_name); From 5d990f9341696ed38126fb2ed6a31e311c77c520 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Fri, 9 Sep 2016 06:28:01 +0200 Subject: [PATCH 3/3] TESTS: Adding intg. tests on nested groups Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/tests/intg/test_ldap.py | 157 1 file changed, 157 insertions(+) diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 11792f5..7f0b8ff 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes): user, domain, extra_attribute) assert val == given_name + + +@pytest.fixture +def add_user_to_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_group_bis("group1", 20001, member_uids=["user1"]) +create_ldap_fixture(request, ldap_conn, ent_list) +create_conf_fixture(request, +format_rfc2307bis_deref_conf( +ldap_conn, +SCHEMA_RFC2307_BIS)) +create_sssd_fixture(request) +return None + + +def test_add_user_to_group(ldap_conn, add_user_to_group): +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) +ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1"))) + + +@pytest.fixture +def remove_user_from_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_user("user2", 1002, 2002) +ent_list.add_group_bis("group1", 20001, member_uids=["user1", "user2"]) +
[SSSD] [sssd PR#13][synchronized] MEMBEROF: Don't resolve members if they are removed
URL: https://github.com/SSSD/sssd/pull/13 Author: celestian Title: #13: MEMBEROF: Don't resolve members if they are removed Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/13/head:pr13 git checkout pr13 From 10b3a126e098a061212fcebde4f2506e6198d889 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?=Date: Wed, 31 Aug 2016 12:28:48 +0200 Subject: [PATCH 1/3] MEMBEROF: Don't resolve members if they are removed If we need remove ghost (SYSDB_GHOST, DB_GHOST) attribute from group we use empty structure. This doesn't mean that there is pointer to NULL but it means that there is zero elements. Ghost attribute is array not string. Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/ldb_modules/memberof.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ldb_modules/memberof.c b/src/ldb_modules/memberof.c index af7147e..af42c72 100644 --- a/src/ldb_modules/memberof.c +++ b/src/ldb_modules/memberof.c @@ -2920,7 +2920,9 @@ static int memberof_mod(struct ldb_module *module, struct ldb_request *req) mod_ctx->ghel = ldb_msg_find_element(mod_ctx->msg, DB_GHOST); /* continue with normal ops if there are no members and no ghosts */ -if (mod_ctx->membel == NULL && mod_ctx->ghel == NULL) { +if ((mod_ctx->membel == NULL && mod_ctx->ghel == NULL) || +(mod_ctx->membel == NULL && mod_ctx->ghel != NULL && + mod_ctx->ghel->num_values == 0)) { mod_ctx->terminate = true; return mbof_orig_mod(mod_ctx); } From 216bf7c1556ee5c12a3f263a817f33674610 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Mon, 12 Sep 2016 15:18:07 +0200 Subject: [PATCH 2/3] LDAP: Removing of member link from group Co-author: Sumit Bose Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/providers/ldap/sdap_async_groups.c | 9 + 1 file changed, 9 insertions(+) diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index 72760b7..08dfa01 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -878,6 +878,8 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, size_t nuserdns = 0; struct sss_domain_info *group_dom = NULL; int ret; +const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST, + NULL}; if (dom->ignore_group_members) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -962,6 +964,13 @@ static int sdap_save_grpmem(TALLOC_CTX *memctx, if (el->num_values == 0 && nuserdns == 0) { DEBUG(SSSDBG_TRACE_FUNC, "No members for group [%s]\n", group_name); + +ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP, + discard_const(remove_attrs)); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); +goto fail; +} } else { DEBUG(SSSDBG_TRACE_FUNC, "Adding member users to group [%s]\n", group_name); From ea685ea0bf71c3a350fb709d41b01068e948839a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Fri, 9 Sep 2016 06:28:01 +0200 Subject: [PATCH 3/3] TESTS: Adding intg. tests on nested groups Resolves: https://fedorahosted.org/sssd/ticket/2940 --- src/tests/intg/test_ldap.py | 157 1 file changed, 157 insertions(+) diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 11792f5..7f0b8ff 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -794,3 +794,160 @@ def test_extra_attribute_already_exists(ldap_conn, extra_attributes): user, domain, extra_attribute) assert val == given_name + + +@pytest.fixture +def add_user_to_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_group_bis("group1", 20001, member_uids=["user1"]) +create_ldap_fixture(request, ldap_conn, ent_list) +create_conf_fixture(request, +format_rfc2307bis_deref_conf( +ldap_conn, +SCHEMA_RFC2307_BIS)) +create_sssd_fixture(request) +return None + + +def test_add_user_to_group(ldap_conn, add_user_to_group): +ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) +ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1"))) + + +@pytest.fixture +def remove_user_from_group(request, ldap_conn): +""" +Adding user to group +""" +ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) +ent_list.add_user("user1", 1001, 2001) +ent_list.add_user("user2", 1002, 2002) +