On Fri, 2012-02-03 at 18:42 +0100, Jakub Hrozek wrote: > On Thu, Feb 2, 2012 at 3:38 AM, Stephen Gallagher <[email protected]> wrote: > > On Wed, 2012-02-01 at 14:07 -0500, Stephen Gallagher wrote: > >> Fixes https://fedorahosted.org/sssd/ticket/1152 > >> > >> I just made the get_naming_context() routine non-fatal and added NULL > >> checks for the search bases in each of the routines that use them. So if > >> SOME features have search bases available, they'll work. This will ease > >> issues on upgrade. > >> > >> Note: some other patches in development (such as AutoFS and SELinux) > >> will probably need to be updated to include these NULL checks as well. > > > > Yes :-) I'm going to update the autofs patches that are already on the list. > > > Minor update. > > > > Squash in a patch from Jakub to avoid a startup failure when the SUDO > > search base is not set and SSSD was built with --enable-sudo > > > > Nack, > > you missed the check in sdap_get_netgroups_send()
Thanks for catching that. New patch attached.
From 95953362b2c66ffc42dd50999b9281592984cba6 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <[email protected]> Date: Wed, 1 Feb 2012 14:03:36 -0500 Subject: [PATCH 1/3] LDAP: Do not fail if RootDSE check cannot determine search bases https://fedorahosted.org/sssd/ticket/1152 --- src/providers/ipa/ipa_netgroups.c | 7 +++++ src/providers/ldap/ldap_common.c | 5 +-- src/providers/ldap/sdap.c | 7 ++++- src/providers/ldap/sdap_async_groups.c | 9 +++++++ src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++- src/providers/ldap/sdap_async_netgroups.c | 10 ++++++++ src/providers/ldap/sdap_async_services.c | 9 +++++++ src/providers/ldap/sdap_async_users.c | 9 +++++++ src/providers/ldap/sdap_sudo.c | 9 +++++++ 9 files changed, 95 insertions(+), 5 deletions(-) diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c index d61728f57d31fb7231536dbcbc922d75ff17fbf2..620f03cc8e97addd87628d26a79b49158f82e251 100644 --- a/src/providers/ipa/ipa_netgroups.c +++ b/src/providers/ipa/ipa_netgroups.c @@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx, state->base_filter = filter; state->netgr_base_iter = 0; + if (!ipa_options->id->netgroup_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Netgroup lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sss_hash_create(state, 32, &state->new_netgroups); if (ret != EOK) goto done; ret = sss_hash_create(state, 32, &state->new_users); diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index 786e06b3d936f0cb2c86b0df2a399c14913e03fe..38bd1b4f3d2e82057e60e97a9ad420974a200057 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -572,9 +572,8 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx, dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE))); } } else { - /* FIXME: try to discover it later */ - DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n")); - return ENOENT; + DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later " + "connecting to the LDAP server.\n")); } ret = sdap_parse_search_base(opts, opts->basic, diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c index 8a118150b383380b5a2ac1389712adb99bb8ef0c..27cffd79ade57b9d052f91c3d31a5dee183d5010 100644 --- a/src/providers/ldap/sdap.c +++ b/src/providers/ldap/sdap.c @@ -754,7 +754,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, naming_context = get_naming_context(opts->basic, rootdse); if (naming_context == NULL) { DEBUG(1, ("get_naming_context failed.\n")); - ret = EINVAL; + + /* This has to be non-fatal, since some servers offer + * multiple namingContexts entries. We will just + * add NULL checks for the search bases in the lookups. + */ + ret = EOK; goto done; } } diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644 --- a/src/providers/ldap/sdap_async_groups.c +++ b/src/providers/ldap/sdap_async_groups.c @@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = search_bases; + if (!search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Group lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_groups_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = opts->group_search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a group search base\n")); + ret = EINVAL; + goto done; + } + state->name = talloc_strdup(state, name); if (!state->name) { talloc_zfree(req); @@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, talloc_zfree(clean_name); ret = sdap_initgr_rfc2307_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); @@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( state->base_iter = 0; state->search_bases = opts->group_search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a group search base\n")); + ret = EINVAL; + goto done; + } + ret = sss_hash_create(state, 32, &state->group_hash); if (ret != EOK) { talloc_free(req); @@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send( SDAP_SEARCH_TIMEOUT); state->base_iter = 0; state->search_bases = opts->group_search_bases; - + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups nested lookup request " + "without a group search base\n")); + ret = EINVAL; + goto done; + } ret = rfc2307bis_nested_groups_step(req); + +done: if (ret == EOK) { /* All parent groups were already processed */ tevent_req_done(req); @@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); state->user_base_iter = 0; state->user_search_bases = id_ctx->opts->user_search_bases; + if (!state->user_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Initgroups lookup request without a user search base\n")); + ret = EINVAL; + goto done; + } ret = sss_filter_sanitize(state, name, &clean_name); if (ret != EOK) { + talloc_zfree(req); return NULL; } @@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, } ret = sdap_get_initgr_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c index 0888c7e2fcf03d0b133bcf93ad017086aedffe16..f3a378f6488cfd46001c22b3a5abf29724f2fd0d 100644 --- a/src/providers/ldap/sdap_async_netgroups.c +++ b/src/providers/ldap/sdap_async_netgroups.c @@ -579,7 +579,17 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx, state->base_iter = 0; state->search_bases = search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Netgroup lookup request without a netgroup search base\n")); + ret = EINVAL; + goto done; + } + + ret = sdap_get_netgroups_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_async_services.c b/src/providers/ldap/sdap_async_services.c index e4371f58e3ed67c3d3c0de58799687efb28e0167..f414040bc08cfaf81fc01e22699f238989f48778 100644 --- a/src/providers/ldap/sdap_async_services.c +++ b/src/providers/ldap/sdap_async_services.c @@ -104,7 +104,16 @@ sdap_get_services_send(TALLOC_CTX *memctx, state->search_bases = search_bases; state->enumeration = enumeration; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Services lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_services_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx, state->search_bases = search_bases; state->enumeration = enumeration; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("User lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + ret = sdap_get_users_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, state->ev); diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c index aed937f9f3008df7ef30fd624689f685ca9aefbc..30afcddfec495504786c62b22e1c21225f0f1e38 100644 --- a/src/providers/ldap/sdap_sudo.c +++ b/src/providers/ldap/sdap_sudo.c @@ -340,6 +340,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, state->ldap_rules = NULL; state->ldap_rules_count = 0; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("SUDOERS lookup request without a search base\n")); + ret = EINVAL; + goto done; + } + /* create filter */ state->filter = sdap_sudo_build_filter(state, opts->sudorule_map, sudo_req); if (state->filter == NULL) { @@ -355,6 +362,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, /* begin search */ ret = sdap_sudo_load_sudoers_next_base(req); + +done: if (ret != EOK) { tevent_req_error(req, ret); tevent_req_post(req, ev); -- 1.7.7.6
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
