Fixes https://fedorahosted.org/sssd/ticket/1152
I just made the get_naming_context() routine non-fatal and added NULL checks for the search bases in each of the routines that use them. So if SOME features have search bases available, they'll work. This will ease issues on upgrade. Note: some other patches in development (such as AutoFS and SELinux) will probably need to be updated to include these NULL checks as well.
From a01950c22dd23626b58960074991628172b519fd Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Wed, 1 Feb 2012 14:03:36 -0500 Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search bases https://fedorahosted.org/sssd/ticket/1152 --- src/providers/ipa/ipa_netgroups.c | 7 +++++ src/providers/ldap/sdap.c | 7 ++++- src/providers/ldap/sdap_async_groups.c | 9 +++++++ src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++- src/providers/ldap/sdap_async_services.c | 9 +++++++ src/providers/ldap/sdap_async_users.c | 9 +++++++ src/providers/ldap/sdap_sudo.c | 9 +++++++ 7 files changed, 83 insertions(+), 2 deletions(-) diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index d61728f57d31fb7231536dbcbc922d75ff17fbf2..620f03cc8e97addd87628d26a79b49158f82e251 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx, state->base_filter = filter; state->netgr_base_iter = 0; + if (!ipa_options->id->netgroup_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Netgroup lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sss_hash_create(state, 32, &state->new_netgroups); if (ret != EOK) goto done; ret = sss_hash_create(state, 32, &state->new_users); diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 8a118150b383380b5a2ac1389712adb99bb8ef0c..27cffd79ade57b9d052f91c3d31a5dee183d5010 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -754,7 +754,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, naming_context = get_naming_context(opts->basic, rootdse); if (naming_context == NULL) { DEBUG(1, ("get_naming_context failed.\n")); - ret = EINVAL; + + /* This has to be non-fatal, since some servers offer + * multiple namingContexts entries. We will just + * add NULL checks for the search bases in the lookups. + */ + ret = EOK; goto done; } } diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = search_bases; + if (!search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Group lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_groups_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = opts->group_search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a group search base\n")); + ret = EINVAL; + goto done; + } + state->name = talloc_strdup(state, name); if (!state->name) { talloc_zfree(req); @@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, talloc_zfree(clean_name); ret = sdap_initgr_rfc2307_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); @@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( state->base_iter = 0; state->search_bases = opts->group_search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a group search base\n")); + ret = EINVAL; + goto done; + } + ret = sss_hash_create(state, 32, &state->group_hash); if (ret != EOK) { talloc_free(req); @@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send( SDAP_SEARCH_TIMEOUT); state->base_iter = 0; state->search_bases = opts->group_search_bases; - + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups nested lookup request " + "without a group search base\n")); + ret = EINVAL; + goto done; + } ret = rfc2307bis_nested_groups_step(req); + +done: if (ret == EOK) { /* All parent groups were already processed */ tevent_req_done(req); @@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); state->user_base_iter = 0; state->user_search_bases = id_ctx->opts->user_search_bases; + if (!state->user_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a user search base\n")); + ret = EINVAL; + goto done; + } ret = sss_filter_sanitize(state, name, &clean_name); if (ret != EOK) { + talloc_zfree(req); return NULL; } @@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, } ret = sdap_get_initgr_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); diff --git a/src/providers/ldap/sdap_async_services.c b/src/providers/ldap/sdap_async_services.c index e4371f58e3ed67c3d3c0de58799687efb28e0167..f414040bc08cfaf81fc01e22699f238989f48778 100644 --- a/src/providers/ldap/sdap_async_services.c +++ b/src/providers/ldap/sdap_async_services.c @@ -104,7 +104,16 @@ sdap_get_services_send(TALLOC_CTX *memctx, state->search_bases = search_bases; state->enumeration = enumeration; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Services lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_services_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx, state->search_bases = search_bases; state->enumeration = enumeration; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("User lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_users_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index aed937f9f3008df7ef30fd624689f685ca9aefbc..30afcddfec495504786c62b22e1c21225f0f1e38 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -340,6 +340,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, state->ldap_rules = NULL; state->ldap_rules_count = 0; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("SUDOERS lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + /* create filter */ state->filter = sdap_sudo_build_filter(state, opts->sudorule_map, sudo_req); if (state->filter == NULL) { @@ -355,6 +362,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, /* begin search */ ret = sdap_sudo_load_sudoers_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); -- 1.7.7.6
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
