Hello, please see attached patches.
Regards, Pavel Reichl
>From b0bb8006c024046ae3aca2f5837489cd12fe2cd7 Mon Sep 17 00:00:00 2001 From: Pavel Reichl <prei...@redhat.com> Date: Wed, 16 Jul 2014 13:33:58 +0100 Subject: [PATCH 1/2] IPA: new attribute map for non-posix groups Create new set of attributes to be used when processing non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 --- src/providers/ipa/ipa_common.c | 9 +++++++++ src/providers/ipa/ipa_opts.h | 8 ++++++++ src/providers/ldap/ldap_id.c | 8 +++++++- src/providers/ldap/sdap.h | 11 +++++++++++ src/providers/ldap/sdap_async.h | 3 ++- src/providers/ldap/sdap_async_initgroups.c | 12 +++++++++--- 6 files changed, 46 insertions(+), 5 deletions(-) diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index f594de27a65ab1ff702d0c593a57e89bfd469532..54d0ecf3b5fa58f4bcf2ec144ecad578bf9c894b 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -568,6 +568,15 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_np_group_map, + SDAP_OPTS_NP_GROUP, + &ipa_opts->id->np_group_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, ipa_netgroup_map, IPA_OPTS_NETGROUP, &ipa_opts->id->netgroup_map); diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index d7c2b189fad57cb60c29b56c5e351a46070349e2..4dd4077544cb9cd0ae26b14d5eb51cc7f89dfe84 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -217,6 +217,14 @@ struct sdap_attr_map ipa_group_map[] = { SDAP_ATTR_MAP_TERMINATOR }; +/* map for non-posix groups */ +struct sdap_attr_map ipa_np_group_map[] = { + { "ldap_group_object_class", "nestedgroup", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_name", "cn", SYSDB_NAME, NULL }, + { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + struct sdap_attr_map ipa_netgroup_map[] = { { "ipa_netgroup_object_class", "ipaNisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, { "ipa_netgroup_name", "cn", SYSDB_NAME, NULL }, diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index c788b6bdd6235f5b940d99382b115a2534dbb1d9..e164cde4cd551b80b95edaed477ca64bf3ea0011 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -919,6 +919,7 @@ struct groups_by_user_state { const char *name; const char **attrs; + const char **np_attrs; int dp_error; int sdap_ret; @@ -966,6 +967,10 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, NULL, &state->attrs, NULL); if (ret != EOK) goto fail; + ret = build_attrs_from_map(state, ctx->opts->np_group_map, SDAP_OPTS_NP_GROUP, + NULL, &state->np_attrs, NULL); + if (ret != EOK) goto fail; + ret = groups_by_user_retry(req); if (ret != EOK) { goto fail; @@ -1020,7 +1025,8 @@ static void groups_by_user_connect_done(struct tevent_req *subreq) state->ctx, state->conn, state->name, - state->attrs); + state->attrs, + state->np_attrs); if (!subreq) { tevent_req_error(req, ENOMEM); return; diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index 87f2131ae6e8eea68e4db81b7de6e70a4c0636a7..397e0d6875ddd8977fc29dcdb02d3987bf3ef1ec 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -304,6 +304,16 @@ enum sdap_group_attrs { SDAP_OPTS_GROUP /* attrs counter */ }; +/* the objectclass must be the first attribute. + * Functions depend on this */ +enum sdap_np_group_attrs { + SDAP_OC_NP_GROUP = 0, + SDAP_AT_NP_GROUP_NAME, + SDAP_AT_NP_GROUP_MEMBER, + + SDAP_OPTS_NP_GROUP /* attrs counter */ +}; + enum sdap_netgroup_attrs { SDAP_OC_NETGROUP = 0, SDAP_AT_NETGROUP_NAME, @@ -416,6 +426,7 @@ struct sdap_options { struct sdap_attr_map *user_map; size_t user_map_cnt; struct sdap_attr_map *group_map; + struct sdap_attr_map *np_group_map; struct sdap_attr_map *netgroup_map; struct sdap_attr_map *service_map; diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 808254a249a3758d3f2ac257b7701c3b73526047..2ed7cb7ea38ff8a6108b5470b5b720e63c218eb5 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -134,7 +134,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, struct sdap_id_ctx *id_ctx, struct sdap_id_conn_ctx *conn, const char *name, - const char **grp_attrs); + const char **grp_attrs, + const char **np_grp_attrs); int sdap_get_initgr_recv(struct tevent_req *req); struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx, diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index c7169dda7ee0b31e10e9910779be67cdd3cd802e..e3ea3452617a4624343292f2af6820c5e3953357 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -706,6 +706,7 @@ struct sdap_initgr_nested_state { const char *orig_dn; const char **grp_attrs; + const char **np_grp_attrs; struct ldb_message_element *memberof; char *filter; @@ -729,7 +730,8 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, struct sss_domain_info *dom, struct sdap_handle *sh, struct sysdb_attrs *user, - const char **grp_attrs) + const char **grp_attrs, + const char **np_grp_attrs) { struct tevent_req *req; struct sdap_initgr_nested_state *state; @@ -2605,6 +2607,7 @@ struct sdap_get_initgr_state { struct sdap_id_conn_ctx *conn; const char *name; const char **grp_attrs; + const char **np_grp_attrs; const char **user_attrs; char *user_base_filter; char *filter; @@ -2629,7 +2632,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, struct sdap_id_ctx *id_ctx, struct sdap_id_conn_ctx *conn, const char *name, - const char **grp_attrs) + const char **grp_attrs, + const char **np_grp_attrs) { struct tevent_req *req; struct sdap_get_initgr_state *state; @@ -2964,9 +2968,11 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) break; case SDAP_SCHEMA_IPA_V1: + subreq = sdap_initgr_nested_send(state, state->ev, state->opts, state->sysdb, state->dom, state->sh, - state->orig_user, state->grp_attrs); + state->orig_user, state->grp_attrs, + state->np_grp_attrs); if (!subreq) { tevent_req_error(req, ENOMEM); return; -- 1.9.3
>From 2fe984818964cafcbd43c26d274e916edb39cc53 Mon Sep 17 00:00:00 2001 From: Pavel Reichl <prei...@redhat.com> Date: Wed, 16 Jul 2014 13:52:43 +0100 Subject: [PATCH 2/2] IPA: process non-posix nested groups If an object can't be resolved as a posix group we then try to resolve it as a non-posix (without the gid attribute) nested group and store it as a group stub into the sysdb. The purpose is to be able to resolve nested posix groups which are members of non-posix groups. Resolves: https://fedorahosted.org/sssd/ticket/2343 --- src/providers/ldap/sdap_async_initgroups.c | 54 ++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 3 deletions(-) diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index e3ea3452617a4624343292f2af6820c5e3953357..775394fb1e4b48795922c32563db1c3502ef3c44 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -710,6 +710,7 @@ struct sdap_initgr_nested_state { struct ldb_message_element *memberof; char *filter; + char *np_grp_filter; char **group_dns; int cur; @@ -717,6 +718,8 @@ struct sdap_initgr_nested_state { struct sysdb_attrs **groups; int groups_cur; + + bool try_as_non_posix; }; static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req); @@ -747,6 +750,9 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, state->dom = dom; state->sh = sh; state->grp_attrs = grp_attrs; + state->np_grp_attrs = np_grp_attrs; + state->try_as_non_posix = false; + state->user = user; state->op = NULL; @@ -832,6 +838,15 @@ static errno_t sdap_initgr_nested_noderef_search(struct tevent_req *req) return ENOMEM; } + state->np_grp_filter = talloc_asprintf( + state,"(&(objectclass=%s)(%s=*))", + state->opts->np_group_map[SDAP_OC_NP_GROUP].name, + state->opts->np_group_map[SDAP_AT_NP_GROUP_NAME].name); + + if (state->np_grp_filter == NULL) { + return ENOMEM; + } + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, state->group_dns[state->cur], LDAP_SCOPE_BASE, @@ -962,9 +977,40 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) groups[0]); state->groups_cur++; } else { - DEBUG(SSSDBG_OP_FAILURE, - "Search for group %s, returned %zu results. Skipping\n", - state->group_dns[state->cur], count); + if (state->try_as_non_posix || count != 0) { + /* We can't get the group as posix nor non-posix. Succumb on + * this one and try to continue with another. + */ + DEBUG(SSSDBG_OP_FAILURE, + "Search for group %s, returned %zu results. Skipping\n", + state->group_dns[state->cur], count); + } else { + /* Try to get the group as non-posix. */ + state->try_as_non_posix = true; + + DEBUG(SSSDBG_OP_FAILURE, + "Search for group %s, returned %zu results. " + "Trying to get it as non-posix\n", + state->group_dns[state->cur], count); + + subreq = sdap_get_generic_send(state, state->ev, + state->opts, state->sh, + state->group_dns[state->cur], + LDAP_SCOPE_BASE, + state->np_grp_filter, + state->np_grp_attrs, + state->opts->np_group_map, + SDAP_OPTS_NP_GROUP, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_initgr_nested_search, req); + return; + } } state->cur++; @@ -972,6 +1018,7 @@ static void sdap_initgr_nested_search(struct tevent_req *subreq) * memberOf which might not be only groups, but permissions, etc. * Use state->groups_cur for group index cap */ if (state->cur < state->memberof->num_values) { + state->try_as_non_posix = false; subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, state->group_dns[state->cur], @@ -2656,6 +2703,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, state->conn = conn; state->name = name; state->grp_attrs = grp_attrs; + state->np_grp_attrs = np_grp_attrs; state->orig_user = NULL; state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); state->user_base_iter = 0; -- 1.9.3
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel