On (15/07/15 21:11), Jakub Hrozek wrote: >On Wed, Jul 15, 2015 at 07:27:08PM +0200, Lukas Slebodnik wrote: >> On (15/07/15 10:34), Sumit Bose wrote: >> >On Tue, Jul 14, 2015 at 04:33:58PM +0200, Lukas Slebodnik wrote: >> >> On (14/07/15 15:02), Sumit Bose wrote: >> >> >Hi, >> >> > >> >> >this patch should fix https://fedorahosted.org/sssd/ticket/2717 . >> >> > >> >> >As you can see I added a new entry ipa_ad_default_names to the global >> >> >nss context so that the regular expression string is only evaluated >> >> >once. Since it is currently only used in >> >> >nss_check_name_of_well_known_sid() I do the initialization here to avoid >> >> >initialization when it is not needed. If you think this is too risky in >> >> >future I'm fine with moving the initialization to the general >> >> >initialization of the nss context. >> >> > >> >> >bye, >> >> >Sumit >> >> >> >> >From 1ff1e1f5fb57dd7e1fa85eb758b8769dfb1260d0 Mon Sep 17 00:00:00 2001 >> >> >From: Sumit Bose <sb...@redhat.com> >> >> >Date: Tue, 14 Jul 2015 14:41:34 +0200 >> >> >Subject: [PATCH] nss_check_name_of_well_known_sid() improve name >> >> >splitting >> >> > >> >> >Currently in the default configuration >> >> >nss_check_name_of_well_known_sid() can only split fully-qualified names >> >> >in the u...@domain.name style. DOM\user style names will cause an error >> >> >and terminate the whole request. >> >> > >> >> >With this patch both styles can be handled by default, additionally if >> >> >the name could not be split nss_check_name_of_well_known_sid() returns >> >> >ENOENT which can be handled more gracefully by the caller. >> >> > >> >> >Resolves https://fedorahosted.org/sssd/ticket/2717 >> >> >--- >> >> > src/responder/nss/nsssrv.h | 1 + >> >> > src/responder/nss/nsssrv_cmd.c | 32 ++++++++++++++- >> >> > src/tests/cmocka/test_nss_srv.c | 90 >> >> > ++++++++++++++++++++++++----------------- >> >> > src/util/usertools.c | 7 ++++ >> >> > src/util/util.h | 3 ++ >> >> > 5 files changed, 94 insertions(+), 39 deletions(-) >> >> > >> >> >diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h >> >> >index >> >> >e293e3b4d03582abf6abf07cce61d3b6fdebfcae..6a77f9f1179e0bb2353a01edf14a27e576eba481 >> >> > 100644 >> >> >--- a/src/responder/nss/nsssrv.h >> >> >+++ b/src/responder/nss/nsssrv.h >> >> >@@ -76,6 +76,7 @@ struct nss_ctx { >> >> > >> >> > struct sss_idmap_ctx *idmap_ctx; >> >> > struct sss_names_ctx *global_names; >> >> >+ struct sss_names_ctx *ipa_ad_default_names; >> >> > >> >> > const char **extra_attributes; >> >> > }; >> >> >diff --git a/src/responder/nss/nsssrv_cmd.c >> >> >b/src/responder/nss/nsssrv_cmd.c >> >> >index >> >> >0129467302f16af318bbbb0a5be47ff2e235da65..eb550cd007cfb6fac0271b7de211285b6cebfdef >> >> > 100644 >> >> >--- a/src/responder/nss/nsssrv_cmd.c >> >> >+++ b/src/responder/nss/nsssrv_cmd.c >> >> >@@ -1248,13 +1248,43 @@ static int >> >> >nss_check_name_of_well_known_sid(struct nss_cmd_ctx *cmdctx, >> >> > size_t pctr = 0; >> >> > >> >> > nss_ctx = talloc_get_type(cmdctx->cctx->rctx->pvt_ctx, struct >> >> > nss_ctx); >> >> >- ret = sss_parse_name(cmdctx, nss_ctx->global_names, full_name, >> >> nss_ctx->global_names is used just in two functions >> >> nss_check_name_of_well_known_sid >> >> nss_check_well_known_sid >> >> >> >> All SID related functions should be used with AD. >> >> I would prefer to directly change default to IPA/AD regex for >> >> global_names. >> > >> >Thank you for checking the usage of global_names, I should have checked >> >it myself. You are right, I updated the patch accordingly. >> > >> >> >> >> Or alternatively iterate over all domains and use their regexes. >> >> In teory, someone can use alternative regex >> >> "(?P<name>[^@]+)&(?P<domain>.+$)" >> >> and you will not be able to parse it with default ipa ad regex. >> > >> >In this case the regex can be set in the [sssd] section to set >> >global_names accordingly. >> > >> >> >From 4c41bb30206f4c7e1305f19f02b84d780814c099 Mon Sep 17 00:00:00 2001 >> >From: Sumit Bose <sb...@redhat.com> >> >Date: Tue, 14 Jul 2015 14:41:34 +0200 >> >Subject: [PATCH] nss_check_name_of_well_known_sid() improve name splitting >> > >> >Currently in the default configuration >> >nss_check_name_of_well_known_sid() can only split fully-qualified names >> >in the u...@domain.name style. DOM\user style names will cause an error >> >and terminate the whole request. >> > >> >With this patch both styles can be handled by default, additionally if >> >the name could not be split nss_check_name_of_well_known_sid() returns >> >ENOENT which can be handled more gracefully by the caller. >> > >> >Resolves https://fedorahosted.org/sssd/ticket/2717 >> >> Alexender's use-case is fixed and code is much simpler. >> >> [root@host sssd]# rpm -q python-libsss_nss_idmap >> python-libsss_nss_idmap-1.13.1-0.20150715.1247.git66d99f6.el7.x86_64 >> >> Python 2.7.5 (default, Jul 8 2015, 05:01:23) >> [GCC 4.8.3 20140911 (Red Hat 4.8.3-9)] on linux2 >> Type "help", "copyright", "credits" or "license" for more information. >> >>> import pysss_nss_idmap >> >>> pysss_nss_idmap.getsidbyname('user1_dom1-20...@sssdad.com') >> {'user1_dom1-20...@sssdad.com': {'type': 1, 'sid': >> u'S-1-5-21-1305200397-2901131868-73388776-21064'}} >> >>> pysss_nss_idmap.getsidbyname('sssdad.com\\user1_dom1-20549') >> {'sssdad.com\\user1_dom1-20549': {'type': 1, 'sid': >> u'S-1-5-21-1305200397-2901131868-73388776-21064'}} >> >>> pysss_nss_idmap.getsidbyname('sssdad.com\user1_dom1-20549') >> {'sssdad.com\\user1_dom1-20549': {'type': 1, 'sid': >> u'S-1-5-21-1305200397-2901131868-73388776-21064'}} >> >>> >> >> Functional ACK >> >> I just want to be sure that other developers agree with changing >> default regex. > >I'm fine with it. > >I'll push the patch tomorrow unless there's any opposition. > Acctually, I found out that changing default for ldap provider caused regression for upstream ticket #2163. I have already sent test for ticket #2163.
LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
