On 03/11/2016 11:03 AM, Jakub Hrozek wrote:
On Fri, Mar 04, 2016 at 02:00:57PM +0100, Pavel Březina wrote:
https://fedorahosted.org/sssd/ticket/2969
I'm sorry, but I still can't use sudo with IPA 3.x server:
(Fri Mar 11 10:01:02 2016) [sssd[be[obsolete.test]]] [ipa_sudo_fetch_cmds]
(0x0400): About to fetch sudo commands
(Fri Mar 11 10:01:16 2016) [sssd[be[obsolete.test]]] [build_filter] (0x0020):
Unable to get member
sudocmd=/usr/bin/less,cn=sudocmds,cn=sudo,dc=obsolete,dc=test [2]: No such file
or directory
(Fri Mar 11 10:01:21 2016) [sssd[be[obsolete.test]]] [ipa_sudo_fetch_cmds]
(0x0020): Unable to build filter
(Fri Mar 11 10:01:21 2016) [sssd[be[obsolete.test]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Fri Mar 11 10:01:21 2016) [sssd[be[obsolete.test]]] [be_ptask_done] (0x0040):
Task [SUDO Full Refresh]: failed with [12]: Cannot allocate memory
This is the backtrace:
Breakpoint 1, _ipa_get_rdn (mem_ctx=0x0, sysdb=0x19c8120, obj_dn=
0x1a155b0 "sudocmd=/usr/bin/less,cn=sudocmds,cn=sudo,dc=obsolete,dc=test",
_rdn_val=0x0, rdn_attr=
0x19f7cf0 "cn") at /sssd/src/providers/ipa/ipa_dn.c:108
108 dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), obj_dn);
(gdb) bt
#0 _ipa_get_rdn (mem_ctx=0x0, sysdb=0x19c8120, obj_dn=
0x1a155b0 "sudocmd=/usr/bin/less,cn=sudocmds,cn=sudo,dc=obsolete,dc=test",
_rdn_val=0x0, rdn_attr=
0x19f7cf0 "cn") at /sssd/src/providers/ipa/ipa_dn.c:108
#1 0x00007fe5c7bd17f4 in is_ipacmdgroup (conv=0x1a16730, dn=
0x1a155b0 "sudocmd=/usr/bin/less,cn=sudocmds,cn=sudo,dc=obsolete,dc=test")
at /sssd/src/providers/ipa/ipa_sudo_conversion.c:192
#2 0x00007fe5c7bd19bf in process_rulemember (mem_ctx=0x1a13c60,
conv=0x1a16730, rulemember=0x1a13c68,
rule=0x1a29c60, attr=0x7fe5c7bf39e2 "memberAllowCmd")
at /sssd/src/providers/ipa/ipa_sudo_conversion.c:242
#3 0x00007fe5c7bd1c69 in process_allowcmd (conv=0x1a16730, rule=0x1a13c60)
at /sssd/src/providers/ipa/ipa_sudo_conversion.c:278
#4 0x00007fe5c7bd2375 in ipa_sudo_conv_rules (conv=0x1a16730, rules=0x1a2af80,
num_rules=1)
at /sssd/src/providers/ipa/ipa_sudo_conversion.c:432
#5 0x00007fe5c7bd5ce0 in ipa_sudo_fetch_rules_done (subreq=0x0)
at /sssd/src/providers/ipa/ipa_sudo_async.c:614
#6 0x00007fe5c72d6e11 in sdap_search_bases_done (subreq=0x0)
at /sssd/src/providers/ldap/sdap_ops.c:210
#7 0x00007fe5c729ce8b in sdap_get_generic_done (subreq=0x1a2b220)
at /sssd/src/providers/ldap/sdap_async.c:1851
#8 0x00007fe5c729c867 in generic_ext_search_handler (subreq=0x0,
opts=0x19ec370)
at /sssd/src/providers/ldap/sdap_async.c:1668
#9 0x00007fe5c729cbf7 in sdap_get_and_parse_generic_done (subreq=0x1a2b3a0)
at /sssd/src/providers/ldap/sdap_async.c:1776
#10 0x00007fe5c729c554 in sdap_get_generic_op_finished (op=0x1a2aec0,
reply=0x1a1e090, error=0, pvt=
0x1a2b3a0) at /sssd/src/providers/ldap/sdap_async.c:1603
#11 0x00007fe5c7298688 in sdap_process_message (ev=0x19c0590, sh=0x1a06af0,
msg=0x1a15610)
at /sssd/src/providers/ldap/sdap_async.c:352
---Type <return> to continue, or q <return> to quit---
#12 0x00007fe5c72981f4 in sdap_process_result (ev=0x19c0590, pvt=0x1a06af0)
at /sssd/src/providers/ldap/sdap_async.c:196
#13 0x00007fe5c7297eb2 in sdap_ldap_next_result (ev=0x19c0590, te=0x1a436e0,
tv=..., pvt=0x1a06af0)
at /sssd/src/providers/ldap/sdap_async.c:144
#14 0x00007fe5d08a3c91 in tevent_common_loop_timer_delay () from
/usr/lib64/libtevent.so.0
#15 0x00007fe5d08a4cbb in ?? () from /usr/lib64/libtevent.so.0
#16 0x00007fe5d08a32e6 in ?? () from /usr/lib64/libtevent.so.0
#17 0x00007fe5d089f49d in _tevent_loop_once () from /usr/lib64/libtevent.so.0
#18 0x00007fe5d089f51b in tevent_common_loop_wait () from
/usr/lib64/libtevent.so.0
#19 0x00007fe5d08a3256 in ?? () from /usr/lib64/libtevent.so.0
#20 0x00007fe5d43bdee6 in server_loop (main_ctx=0x19c1900) at
/sssd/src/util/server.c:673
#21 0x000000000040e3b8 in main (argc=8, argv=0x7ffca1affb68)
at /sssd/src/providers/data_provider_be.c:2829
(gdb) n
109 if (dn == NULL) {
(gdb)
113 va_start(ap, rdn_attr);
(gdb)
114 bret = check_dn(dn, rdn_attr, ap);
(gdb)
116 if (bret == false) {
(gdb)
117 ret = ENOENT;
(gdb) n
118 goto done;
Please let me know if you want access to a IPA 3.x server so you can test
the patch yourself..
Should have read the logs to the end, sorry about that. See the new patches.
From 7ee0732bfdb103f420708f7e79cd45f83941c8e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Fri, 4 Mar 2016 10:40:21 +0100
Subject: [PATCH 1/3] IPA SUDO: fix typo
---
src/providers/ipa/ipa_sudo_conversion.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index ff63551c045003bc81c440ee63aeb28f3fe06647..84de01e622d611d4fee9f9b12e3147d54654626b 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -228,7 +228,7 @@ process_rulemember(TALLOC_CTX *mem_ctx,
ret = store_rulemember(mem_ctx, &rulemember->cmds,
conv->cmds, members[i]);
if (ret == EOK) {
- DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command group %s\n",
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command %s\n",
members[i]);
} else if (ret != EEXIST) {
goto done;
--
2.1.0
From 496be6398156a801afebf5631d95876c1c8d06f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Fri, 4 Mar 2016 11:01:35 +0100
Subject: [PATCH 2/3] IPA SUDO: support old ipasudocmd rdn
FreeIPA versions older than 3.1 have rdn sudoCmd instead of ipaUniqueID.
Resolves:
https://fedorahosted.org/sssd/ticket/2969
---
src/providers/ipa/ipa_sudo_conversion.c | 125 ++++++++++++++++++++++++++------
1 file changed, 103 insertions(+), 22 deletions(-)
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index 84de01e622d611d4fee9f9b12e3147d54654626b..278fee600369e3002cc177313c1ce9f6131c08f7 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -38,8 +38,8 @@
#define MATCHDN_CMDGROUPS MATCHDN(SUDO_DN_CMDGROUPS)
#define MATCHDN_CMDS MATCHDN(SUDO_DN_CMDS)
-#define MATCHRDN_CMDGROUPS(map) (map)[IPA_AT_SUDOCMDGROUP_NAME].name, MATCHDN_CMDGROUPS
-#define MATCHRDN_CMDS(map) (map)[IPA_AT_SUDOCMD_UUID].name, MATCHDN_CMDS
+#define MATCHRDN_CMDGROUPS(map) (map)[IPA_AT_SUDOCMDGROUP_NAME].name, MATCHDN_CMDGROUPS
+#define MATCHRDN_CMDS(attr, map) (map)[attr].name, MATCHDN_CMDS
#define MATCHRDN_USER(map) (map)[SDAP_AT_USER_NAME].name, "cn", "users", "cn", "accounts"
#define MATCHRDN_GROUP(map) (map)[SDAP_AT_GROUP_NAME].name, "cn", "groups", "cn", "accounts"
@@ -187,6 +187,32 @@ done:
return ret;
}
+static bool is_ipacmdgroup(struct ipa_sudo_conv *conv, const char *dn)
+{
+ if (ipa_check_rdn_bool(conv->sysdb, dn,
+ MATCHRDN_CMDGROUPS(conv->map_cmdgroup))) {
+ return true;
+ }
+
+ return false;
+}
+
+static bool is_ipacmd(struct ipa_sudo_conv *conv, const char *dn)
+{
+ if (ipa_check_rdn_bool(conv->sysdb, dn,
+ MATCHRDN_CMDS(IPA_AT_SUDOCMD_UUID, conv->map_cmd))) {
+ return true;
+ }
+
+ /* For older versions of FreeIPA than 3.1. */
+ if (ipa_check_rdn_bool(conv->sysdb, dn,
+ MATCHRDN_CMDS(IPA_AT_SUDOCMD_CMD, conv->map_cmd))) {
+ return true;
+ }
+
+ return false;
+}
+
static errno_t
process_rulemember(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv,
@@ -213,8 +239,7 @@ process_rulemember(TALLOC_CTX *mem_ctx,
}
for (i = 0; members[i] != NULL; i++) {
- if (ipa_check_rdn_bool(conv->sysdb, members[i],
- MATCHRDN_CMDGROUPS(conv->map_cmdgroup))) {
+ if (is_ipacmdgroup(conv, members[i])) {
ret = store_rulemember(mem_ctx, &rulemember->cmdgroups,
conv->cmdgroups, members[i]);
if (ret == EOK) {
@@ -223,8 +248,7 @@ process_rulemember(TALLOC_CTX *mem_ctx,
} else if (ret != EEXIST) {
goto done;
}
- } else if (ipa_check_rdn_bool(conv->sysdb, members[i],
- MATCHRDN_CMDS(conv->map_cmd))) {
+ } else if (is_ipacmd(conv, members[i])) {
ret = store_rulemember(mem_ctx, &rulemember->cmds,
conv->cmds, members[i]);
if (ret == EOK) {
@@ -552,13 +576,75 @@ ipa_sudo_conv_has_cmds(struct ipa_sudo_conv *conv)
return hash_count(conv->cmds) == 0;
}
+typedef errno_t (*ipa_sudo_conv_rdn_fn)(TALLOC_CTX *mem_ctx,
+ struct sdap_attr_map *map,
+ struct sysdb_ctx *sysdb,
+ const char *dn,
+ char **_rdn_val,
+ const char **_rdn_attr);
+
+static errno_t get_sudo_cmdgroup_rdn(TALLOC_CTX *mem_ctx,
+ struct sdap_attr_map *map,
+ struct sysdb_ctx *sysdb,
+ const char *dn,
+ char **_rdn_val,
+ const char **_rdn_attr)
+{
+ char *rdn_val;
+ errno_t ret;
+
+ ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val,
+ MATCHRDN_CMDGROUPS(map));
+ if (ret != EOK) {
+ return ret;
+ }
+
+ *_rdn_val = rdn_val;
+ *_rdn_attr = map[IPA_AT_SUDOCMDGROUP_NAME].name;
+
+ return EOK;
+}
+
+static errno_t get_sudo_cmd_rdn(TALLOC_CTX *mem_ctx,
+ struct sdap_attr_map *map,
+ struct sysdb_ctx *sysdb,
+ const char *dn,
+ char **_rdn_val,
+ const char **_rdn_attr)
+{
+ char *rdn_val;
+ errno_t ret;
+
+ ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val,
+ MATCHRDN_CMDS(IPA_AT_SUDOCMD_UUID, map));
+ if (ret == EOK) {
+ *_rdn_val = rdn_val;
+ *_rdn_attr = map[IPA_AT_SUDOCMD_UUID].name;
+
+ return EOK;
+ } else if (ret != ENOENT) {
+ return ret;
+ }
+
+ /* For older versions of FreeIPA than 3.1. */
+ ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val,
+ MATCHRDN_CMDS(IPA_AT_SUDOCMD_CMD, map));
+ if (ret != EOK) {
+ return ret;
+ }
+
+ *_rdn_val = rdn_val;
+ *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name;;
+
+ return EOK;
+}
+
static char *
build_filter(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
hash_table_t *table,
- const char *class,
- const char *rdn_attr,
- const char *category)
+ struct sdap_attr_map *map,
+ ipa_sudo_conv_rdn_fn rdn_fn)
{
TALLOC_CTX *tmp_ctx;
hash_key_t *keys;
@@ -566,6 +652,7 @@ build_filter(TALLOC_CTX *mem_ctx,
unsigned long int i;
char *filter;
char *rdn_val;
+ const char *rdn_attr;
char *safe_rdn;
errno_t ret;
int hret;
@@ -590,8 +677,7 @@ build_filter(TALLOC_CTX *mem_ctx,
}
for (i = 0; i < count; i++) {
- ret = ipa_get_rdn(tmp_ctx, sysdb, keys[i].str, &rdn_val,
- rdn_attr, MATCHDN(category));
+ ret = rdn_fn(tmp_ctx, map, sysdb, keys[i].str, &rdn_val, &rdn_attr);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get member %s [%d]: %s\n",
keys[i].str, ret, sss_strerror(ret));
@@ -612,8 +698,9 @@ build_filter(TALLOC_CTX *mem_ctx,
}
}
+ /* objectClass is always first */
filter = talloc_asprintf(filter, "(&(objectClass=%s)(|%s))",
- class, filter);
+ map[0].name, filter);
if (filter == NULL) {
ret = ENOMEM;
goto done;
@@ -637,22 +724,16 @@ char *
ipa_sudo_conv_cmdgroup_filter(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv)
{
- const char *rdn_attr = conv->map_cmdgroup[IPA_AT_SUDOCMDGROUP_NAME].name;
- const char *class = conv->map_cmdgroup[IPA_OC_SUDOCMDGROUP].name;
-
- return build_filter(mem_ctx, conv->sysdb, conv->cmdgroups, class,
- rdn_attr, SUDO_DN_CMDGROUPS);
+ return build_filter(mem_ctx, conv->sysdb, conv->cmdgroups,
+ conv->map_cmdgroup, get_sudo_cmdgroup_rdn);
}
char *
ipa_sudo_conv_cmd_filter(TALLOC_CTX *mem_ctx,
struct ipa_sudo_conv *conv)
{
- const char *rdn_attr = conv->map_cmd[IPA_AT_SUDOCMD_UUID].name;
- const char *class = conv->map_cmd[IPA_OC_SUDOCMD].name;
-
- return build_filter(mem_ctx, conv->sysdb, conv->cmds, class,
- rdn_attr, SUDO_DN_CMDS);
+ return build_filter(mem_ctx, conv->sysdb, conv->cmds,
+ conv->map_cmd, get_sudo_cmd_rdn);
}
struct ipa_sudo_conv_result_ctx {
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
