Re: [SSSD] Fix #2275 nested netgroups do not work in IPA provider

Thu, 03 Sep 2015 04:51:10 -0700 

On 09/03/2015 10:08 AM, Sumit Bose wrote:

On Thu, Sep 03, 2015 at 09:54:51AM +0200, Jakub Hrozek wrote:

On Thu, Sep 03, 2015 at 09:31:07AM +0200, Petr Cech wrote:

On 09/03/2015 08:18 AM, Jakub Hrozek wrote:

On Thu, Sep 03, 2015 at 06:15:24AM +0200, Lukas Slebodnik wrote:

On (02/09/15 18:06), Petr Cech wrote:

Hi,

reverting this commit "5e9bc89b28f1ac3ce573ecdece74fe9623580c28" fixed the
problem for me. So is the original commit no longer valid?


I'm little bit worried about reverting this patch.
Did you test the bug which was fixed by this commit.
@see https://fedorahosted.org/sssd/ticket/1519

Thanks.

Tested. We need both patches (because user groups are in memberOf and host
groups are in orig_memberOf).
Simple, I will do it.

Is it OK that freeIPA use two kind of memberOf?


It does not. In FreeIPA LDAP there should only be memberOf (check it
out with openldap). What is happening is that we internally store IPA's
memberof value as originalMemberOf and our memberof points to cached
objects.


yes and since we (so far) only store POSIX groups (user groups) in the
SSSD cache memberOf will only point to user groups. But as Jakub said
originalMemberOf should contain all memberOf attributres from the
related IPA LDAP object. Hence I would expect that originalMemberOf will
have a complete list of memberships with both user and host groups.

bye,
Sumit
I tried both case. I used only originalMemberOf and I had right hostgroups, no user groups. Then I used only memberOf and I had no hostgroups, right user groups.
So I did little hack, we could use both memberOf. The patch is attached and it works for me. 

Petr



_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


>From 7ee4be91c40210e6671bb66098936261550e4fef Mon Sep 17 00:00:00 2001
From: Petr Cech <pc...@redhat.com>
Date: Wed, 2 Sep 2015 11:51:12 -0400
Subject: [PATCH] IPA PROVIDER: Resolve nested netgroup membership

Informations about usergroup membership are stored in memberOf
attribute. And informations about hostgroup membership are stored
in originalMemberOf.
This patch add both, memberOf and originalMemberOf, attributes
for searching in.

Ticket: https://fedorahosted.org/sssd/ticket/2275
---
 src/providers/ipa/ipa_netgroups.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index db29d29ee8f18d3d963402c4811bdef43bae63dc..07338a6ba94ccdfbe18dc359d8249bf6fd3d05d6 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -704,9 +704,9 @@ struct extract_state {
     int entries_count;
 };
 
-static bool extract_entities(hash_entry_t *entry, void *pvt)
+static bool extract_entity(hash_entry_t *entry, const char* attr, void *pvt)
 {
-    int i, ret;
+    int ret;
     struct extract_state *state;
     struct sysdb_attrs *member;
     struct ldb_message_element *el;
@@ -715,22 +715,25 @@ static bool extract_entities(hash_entry_t *entry, void *pvt)
     state = talloc_get_type(pvt, struct extract_state);
     member = talloc_get_type(entry->value.ptr, struct sysdb_attrs);
 
-    ret = sysdb_attrs_get_el(member, SYSDB_ORIG_MEMBEROF, &el);
-    if (ret != EOK) return false;
+    ret = sysdb_attrs_get_el(member, attr, &el);
+    if (ret != EOK) {
+        return false;
+    }
 
     ret = sysdb_attrs_get_el(member, SYSDB_NAME, &name_el);
     if (ret != EOK || name_el == NULL || name_el->num_values == 0) {
         return false;
     }
 
-    for (i = 0; i < el->num_values; i++) {
-        if (strcmp((char *)el->values[i].data, state->group) == 0) {
-
-            state->entries = talloc_realloc(state, state->entries, const char *,
+    for (int j = 0; j < el->num_values; j++) {
+        if (strcmp((char *)el->values[j].data, state->group) == 0) {
+            state->entries = talloc_realloc(state, state->entries,
+                                            const char *,
                                             state->entries_count + 1);
             if (state->entries == NULL) {
                 return false;
             }
+
             state->entries[state->entries_count] = (char *)name_el->values[0].data;
             state->entries_count++;
             break;
@@ -740,6 +743,17 @@ static bool extract_entities(hash_entry_t *entry, void *pvt)
     return true;
 }
 
+static bool extract_entities(hash_entry_t *entry, void *pvt)
+{
+    bool ret1 = false;
+    bool ret2 = false;
+
+    ret1 = extract_entity(entry, SYSDB_ORIG_MEMBEROF, pvt);
+    ret2 = extract_entity(entry, SYSDB_MEMBEROF, pvt);
+
+    return ret1 || ret2;
+}
+
 static int extract_members(TALLOC_CTX *mem_ctx,
                            struct sysdb_attrs *netgroup,
                            const char *member_type,
-- 
2.4.3


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to