Hi, I wrote the following patches while testig the ipa_server_mode. While the first three are needed fixes the fourth patch is an improvement which might help to avoid an additional request to the LDAP server.
bye, Sumit
From 416e41b55514b34519fb3b8df91cf26e3e4fca73 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 6 Aug 2013 11:10:42 +0200 Subject: [PATCH 1/4] IPA_SERVER_MODE: do not follow AD referrals As in the plain AD provider we do not want to follow referrals send by AD in the ipa_server_mode. --- src/providers/ipa/ipa_subdomains.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 9ded995..abec644 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -127,6 +127,13 @@ ipa_ad_ctx_new(struct be_ctx *be_ctx, return ret; } + ret = dp_opt_set_bool(ad_options->id->basic, SDAP_REFERRALS, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Cannot set ldap_referrals to false.\n")); + talloc_free(ad_options); + return ret; + } + gc_service_name = talloc_asprintf(ad_options, "%s%s", "gc_", subdom->name); if (gc_service_name == NULL) { talloc_free(ad_options); -- 1.7.7.6
From 3a91d8a5e0141e800bcbbd3d628675a0219000f0 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 6 Aug 2013 12:17:39 +0200 Subject: [PATCH 2/4] sdap_add_incomplete_groups: use fully qualified name if needed For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones. --- src/providers/ldap/sdap_async_initgroups.c | 18 ++++++++++++++---- 1 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 02158a6..513de27 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -50,6 +50,7 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, time_t now; char *sid_str; bool use_id_mapping; + char *tmp_name; /* There are no groups in LDAP but we should add user to groups ?? */ if (ldap_groups_count == 0) return EOK; @@ -65,14 +66,23 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, mi = 0; for (i=0; groupnames[i]; i++) { + tmp_name = sss_get_domain_name(tmp_ctx, groupnames[i], domain); + if (tmp_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + ("Failed to format original name [%s]\n", groupnames[i])); + ret = ENOMEM; + goto done; + } + ret = sysdb_search_group_by_name(tmp_ctx, sysdb, domain, - groupnames[i], NULL, &msg); + tmp_name, NULL, &msg); if (ret == EOK) { continue; } else if (ret == ENOENT) { - DEBUG(7, ("Group #%d [%s] is not cached, need to add a fake entry\n", - i, groupnames[i])); - missing[mi] = groupnames[i]; + missing[mi] = talloc_steal(missing, tmp_name); + DEBUG(7, ("Group #%d [%s][%s] is not cached, " \ + "need to add a fake entry\n", + i, groupnames[i], missing[mi])); mi++; continue; } else if (ret != ENOENT) { -- 1.7.7.6
From f02b4c35751524e43b7a0f01b8e12ee136b5c79e Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Wed, 7 Aug 2013 12:12:48 +0200 Subject: [PATCH 3/4] save_rfc2307bis_user_memberships: use fq names for subdomains For subdomains the group names must be expanded to fully qualified names to be able to find existing groups or properly add new ones. --- src/providers/ldap/sdap_async_initgroups.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 513de27..9a46dc9 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -1984,6 +1984,8 @@ errno_t save_rfc2307bis_user_memberships( char **add_groups; char **del_groups; bool in_transaction = false; + size_t c; + char *tmp_str; TALLOC_CTX *tmp_ctx = talloc_new(NULL); if(!tmp_ctx) { @@ -2019,6 +2021,20 @@ errno_t save_rfc2307bis_user_memberships( if (ret != EOK) { goto error; } + + if (IS_SUBDOMAIN(state->dom)) { + for (c = 0; ldap_grouplist[c] != NULL; c++) { + tmp_str = sss_tc_fqname(ldap_grouplist, state->dom->names, + state->dom, ldap_grouplist[c]); + if (tmp_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sss_tc_fqname failed.\n")); + ret = ENOMEM; + goto error; + } + talloc_free(ldap_grouplist[c]); + ldap_grouplist[c] = tmp_str; + } + } } /* Find the differences between the sysdb and ldap lists -- 1.7.7.6
From 01118d834438e1935e2e3a47b8adf917757d67df Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 8 Aug 2013 12:04:11 +0200 Subject: [PATCH 4/4] sysdb_add_incomplete_group: store SID string is available During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later. --- src/db/sysdb.h | 4 ++- src/db/sysdb_ops.c | 6 +++ src/providers/ldap/sdap_async_initgroups.c | 25 +++++++++---- src/providers/ldap/sdap_async_initgroups_ad.c | 2 +- src/tests/sysdb-tests.c | 49 +++++++++++++++++++++++-- 5 files changed, 72 insertions(+), 14 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 7b02b34..9667900 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -614,7 +614,9 @@ int sysdb_add_incomplete_group(struct sysdb_ctx *sysdb, struct sss_domain_info *domain, const char *name, gid_t gid, - const char *original_dn, bool posix, + const char *original_dn, + const char *sid_str, + bool posix, time_t now); /* Add netgroup (only basic attrs and w/o checks) */ diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index ff8fb00..45f3289 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -1409,6 +1409,7 @@ int sysdb_add_incomplete_group(struct sysdb_ctx *sysdb, const char *name, gid_t gid, const char *original_dn, + const char *sid_str, bool posix, time_t now) { @@ -1450,6 +1451,11 @@ int sysdb_add_incomplete_group(struct sysdb_ctx *sysdb, if (ret) goto done; } + if (sid_str) { + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, sid_str); + if (ret) goto done; + } + ret = sysdb_set_group_attr(sysdb, domain, name, attrs, SYSDB_MOD_REP); done: diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 9a46dc9..aa0ea4c 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -48,7 +48,7 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, bool in_transaction = false; bool posix; time_t now; - char *sid_str; + char *sid_str = NULL; bool use_id_mapping; char *tmp_name; @@ -127,16 +127,24 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, if (strcmp(groupname, missing[i]) == 0) { posix = true; + ret = sdap_attrs_get_sid_str( + tmp_ctx, opts->idmap_ctx, ldap_groups[ai], + opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name, + &sid_str); + if (ret != EOK && ret != ENOENT) goto done; + if (use_id_mapping) { + if (sid_str == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, ("No SID for group [%s] " \ + "while id-mapping.\n", + groupname)); + ret = EINVAL; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, ("Mapping group [%s] objectSID to unix ID\n", groupname)); - ret = sdap_attrs_get_sid_str( - tmp_ctx, opts->idmap_ctx, ldap_groups[ai], - opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name, - &sid_str); - if (ret != EOK) goto done; - DEBUG(SSSDBG_TRACE_INTERNAL, ("Group [%s] has objectSID [%s]\n", groupname, sid_str)); @@ -187,7 +195,8 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding fake group %s to sysdb\n", groupname)); ret = sysdb_add_incomplete_group(sysdb, domain, groupname, gid, - original_dn, posix, now); + original_dn, sid_str, posix, + now); if (ret != EOK) { goto done; } diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 8978920..e5649a2 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -496,7 +496,7 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) ret = sysdb_add_incomplete_group(state->sysdb, state->domain, group_name, gid, - NULL, false, now); + NULL, sid_str, false, now); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, ("Could not create incomplete group: [%s]\n", diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c index a4ca92a..60a20c8 100644 --- a/src/tests/sysdb-tests.c +++ b/src/tests/sysdb-tests.c @@ -271,7 +271,7 @@ static int test_add_incomplete_group(struct test_data *data) ret = sysdb_add_incomplete_group(data->ctx->sysdb, data->ctx->domain, data->groupname, - data->gid, NULL, true, 0); + data->gid, NULL, NULL, true, 0); return ret; } @@ -3918,7 +3918,7 @@ START_TEST(test_odd_characters) /* Add */ ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain, - odd_groupname, 20000, NULL, true, 0); + odd_groupname, 20000, NULL, NULL, true, 0); fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", ret, strerror(ret)); @@ -4446,14 +4446,14 @@ START_TEST(test_sysdb_original_dn_case_insensitive) ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain, "case_sensitive_group1", 29000, "cn=case_sensitive_group1,cn=example,cn=com", - true, 0); + NULL, true, 0); fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", ret, strerror(ret)); ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain, "case_sensitive_group2", 29001, "cn=CASE_SENSITIVE_GROUP1,cn=EXAMPLE,cn=COM", - true, 0); + NULL, true, 0); fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", ret, strerror(ret)); @@ -4475,6 +4475,44 @@ START_TEST(test_sysdb_original_dn_case_insensitive) } END_TEST +START_TEST(test_sysdb_group_sid_str) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + const char *filter; + struct ldb_dn *base_dn; + const char *no_attrs[] = { NULL }; + struct ldb_message **msgs; + size_t num_msgs; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain, + "group", 29000, + "cn=group,cn=example,cn=com", + "S-1-2-3-4", true, 0); + fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + filter = talloc_asprintf(test_ctx, "%s=%s", SYSDB_SID_STR, "S-1-2-3-4"); + fail_if(filter == NULL, "Cannot construct filter\n"); + + base_dn = sysdb_domain_dn(test_ctx->sysdb, test_ctx, test_ctx->domain); + fail_if(base_dn == NULL, "Cannot construct basedn\n"); + + ret = sysdb_search_entry(test_ctx, test_ctx->sysdb, + base_dn, LDB_SCOPE_SUBTREE, filter, no_attrs, + &num_msgs, &msgs); + fail_unless(ret == EOK, "cache search error [%d][%s]", + ret, strerror(ret)); + fail_unless(num_msgs == 1, "Did not find the expected number of entries using " + "SID string search"); +} +END_TEST + + START_TEST(test_sysdb_subdomain_create) { struct sysdb_test_ctx *test_ctx; @@ -5063,6 +5101,9 @@ Suite *create_sysdb_suite(void) /* Test originalDN searches */ tcase_add_test(tc_sysdb, test_sysdb_original_dn_case_insensitive); + /* Test SID string group searches */ + tcase_add_test(tc_sysdb, test_sysdb_group_sid_str); + /* Test user and group renames */ tcase_add_test(tc_sysdb, test_group_rename); tcase_add_test(tc_sysdb, test_user_rename); -- 1.7.7.6
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
