URL: https://github.com/SSSD/sssd/pull/49 Author: jhrozek Title: #49: Try to match multiple results from an AD initgroups request against domain's search bases, too Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/49/head:pr49 git checkout pr49
From 28ef135c6e82b1ed0f345c72e686ec948c8b485b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Fri, 28 Oct 2016 13:46:02 +0200 Subject: [PATCH 1/2] SYSDB: Split sysdb_try_to_find_expected_dn() into smaller functions --- src/db/sysdb_subdomains.c | 238 ++++++++++++++++++------------- src/tests/cmocka/test_sysdb_subdomains.c | 2 +- 2 files changed, 136 insertions(+), 104 deletions(-) diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index ff83f91..db6716e 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1145,144 +1145,176 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) return ret; } -errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, - const char *domain_component_name, - struct sysdb_attrs **usr_attrs, - size_t count, - struct sysdb_attrs **exp_usr) +static struct sysdb_attrs *match_cn_users(TALLOC_CTX *tmp_ctx, + struct sysdb_attrs **usr_attrs, + size_t count, + char *dom_basedn) { - char *dom_basedn; - size_t dom_basedn_len; - char *expected_basedn; - size_t expected_basedn_len; - size_t dn_len; + errno_t ret; const char *orig_dn; - size_t c = 0; - int ret; - TALLOC_CTX *tmp_ctx; - struct ldb_context *ldb_ctx; - struct ldb_dn *ldb_dom_basedn; - int dom_basedn_comp_num; - struct ldb_dn *ldb_dn; - int dn_comp_num; - const char *component_name; + size_t dn_len; struct sysdb_attrs *result = NULL; const char *result_dn_str = NULL; + char *cn_users_basedn; + size_t cn_users_basedn_len; - if (dom == NULL || domain_component_name == NULL || usr_attrs == NULL - || count == 0) { - return EINVAL; + cn_users_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); + if (cn_users_basedn == NULL) { + return NULL; } + cn_users_basedn_len = strlen(cn_users_basedn); + DEBUG(SSSDBG_TRACE_ALL, "cn=users baseDN is [%s].\n", cn_users_basedn); - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); - return ENOMEM; - } + for (size_t c = 0; c < count; c++) { + ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + return NULL; + } + dn_len = strlen(orig_dn); - ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); - goto done; - } - expected_basedn = talloc_asprintf(tmp_ctx, "%s%s", "cn=users,", dom_basedn); - if (expected_basedn == NULL) { - ret = ENOMEM; - goto done; + if (dn_len > cn_users_basedn_len + && strcasecmp(orig_dn + (dn_len - cn_users_basedn_len), + cn_users_basedn) == 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Found matching dn [%s].\n", orig_dn); + if (result != NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Found 2 matching DN [%s] and [%s], expecting only 1.\n", + result_dn_str, orig_dn); + return NULL; + } + result = usr_attrs[c]; + result_dn_str = orig_dn; + } } + return result; +} + +static struct sysdb_attrs *match_basedn(TALLOC_CTX *tmp_ctx, + struct sss_domain_info *dom, + struct sysdb_attrs **usr_attrs, + size_t count, + const char *dom_basedn, + const char *domain_component_name) +{ + errno_t ret; + const char *orig_dn; + size_t orig_dn_len; + size_t dom_basedn_len; + struct ldb_dn *ldb_orig_dn; + struct ldb_context *ldb_ctx; + struct sysdb_attrs *result = NULL; + const char *result_dn_str = NULL; + struct ldb_dn *ldb_dom_basedn; + int dom_basedn_comp_num; + int dn_comp_num; + const char *component_name; + ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); if (ldb_ctx == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); - ret = EINVAL; - goto done; + return NULL; } + dom_basedn_len = strlen(dom_basedn); + ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn); if (ldb_dom_basedn == NULL) { DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); - ret = ENOMEM; - goto done; + return NULL; } dom_basedn_comp_num = ldb_dn_get_comp_num(ldb_dom_basedn); dom_basedn_comp_num++; - DEBUG(SSSDBG_TRACE_ALL, "Expected BaseDN is [%s].\n", expected_basedn); - expected_basedn_len = strlen(expected_basedn); - dom_basedn_len = strlen(dom_basedn); - - for (c = 0; c < count; c++) { + for (size_t c = 0; c < count; c++) { ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); - goto done; - } - dn_len = strlen(orig_dn); - - if (dn_len > expected_basedn_len - && strcasecmp(orig_dn + (dn_len - expected_basedn_len), - expected_basedn) == 0) { - DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); - if (result != NULL) { - DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], expecting only 1.\n", - result_dn_str, orig_dn); - ret = EINVAL; - goto done; - } - result = usr_attrs[c]; - result_dn_str = orig_dn; + return NULL; } - } - - if (result == NULL) { - for (c = 0; c < count; c++) { - ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); - goto done; + orig_dn_len = strlen(orig_dn); + + if (orig_dn_len > dom_basedn_len + /* Does the user's original DN with the non-domain part + * stripped match the domain base DN? + */ + && strcasecmp(orig_dn + (orig_dn_len - dom_basedn_len), + dom_basedn) == 0) { + ldb_orig_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn); + if (ldb_orig_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed"); + return NULL; } - dn_len = strlen(orig_dn); - - if (dn_len > dom_basedn_len - && strcasecmp(orig_dn + (dn_len - dom_basedn_len), - dom_basedn) == 0) { - ldb_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn); - if (ldb_dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed"); - ret = ENOMEM; - goto done; - } - dn_comp_num = ldb_dn_get_comp_num(ldb_dn); - if (dn_comp_num > dom_basedn_comp_num) { - component_name = ldb_dn_get_component_name(ldb_dn, - (dn_comp_num - dom_basedn_comp_num)); - DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n", - component_name, - domain_component_name); - if (component_name != NULL - && strcasecmp(component_name, - domain_component_name) != 0) { - DEBUG(SSSDBG_TRACE_ALL, - "Found matching dn [%s].\n", orig_dn); - if (result != NULL) { - DEBUG(SSSDBG_OP_FAILURE, - "Found 2 matching DN [%s] and [%s], " - "expecting only 1.\n", result_dn_str, orig_dn); - ret = EINVAL; - goto done; - } - result = usr_attrs[c]; - result_dn_str = orig_dn; + dn_comp_num = ldb_dn_get_comp_num(ldb_orig_dn); + if (dn_comp_num > dom_basedn_comp_num) { + component_name = ldb_dn_get_component_name(ldb_orig_dn, + (dn_comp_num - dom_basedn_comp_num)); + DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n", + component_name, + domain_component_name); + /* Does the original DN's pre-base DN component match this + * domain's component? + */ + if (component_name != NULL + && strcasecmp(component_name, + domain_component_name) != 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Found matching dn [%s].\n", orig_dn); + if (result != NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Found 2 matching DN [%s] and [%s], " + "expecting only 1.\n", result_dn_str, orig_dn); + return NULL; } + result = usr_attrs[c]; + result_dn_str = orig_dn; } } } } + return result; +} + +errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, + const char *domain_component_name, + struct sysdb_attrs **usr_attrs, + size_t count, + struct sysdb_attrs **exp_usr) +{ + char *dom_basedn; + int ret; + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs *result = NULL; + + if (dom == NULL || domain_component_name == NULL + || usr_attrs == NULL || count == 0) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = domain_to_basedn(tmp_ctx, dom->name, &dom_basedn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); + ret = EINVAL; + goto done; + } + + result = match_cn_users(tmp_ctx, usr_attrs, count, dom_basedn); + if (result == NULL) { + result = match_basedn(tmp_ctx, dom, usr_attrs, + count, dom_basedn, domain_component_name); + } + if (result == NULL) { DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n"); ret = ENOENT; diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c index c9db568..bc34497 100644 --- a/src/tests/cmocka/test_sysdb_subdomains.c +++ b/src/tests/cmocka/test_sysdb_subdomains.c @@ -564,7 +564,7 @@ static void test_try_to_find_expected_dn(void **state) assert_ptr_equal(result, usr_attrs[1]); ret = sysdb_try_to_find_expected_dn(dom, "xy", usr_attrs, 3, &result); - assert_int_equal(ret, EINVAL); + assert_int_equal(ret, ENOENT); /* Make sure cn=users match is preferred */ talloc_free(usr_attrs[2]); From 05a0b756cc2d29e6a893572c5df81f8e879e8c8d Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Mon, 31 Oct 2016 21:24:10 +0100 Subject: [PATCH 2/2] SYSDB: Augment sysdb_try_to_find_expected_dn to match search base, too --- src/db/sysdb.h | 1 + src/db/sysdb_subdomains.c | 157 +++++++++++++++++++++++------ src/providers/ldap/sdap_async_initgroups.c | 4 +- src/tests/cmocka/test_sysdb_subdomains.c | 42 ++++++-- 4 files changed, 168 insertions(+), 36 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 9012683..5dedd97 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1297,6 +1297,7 @@ errno_t sysdb_handle_original_uuid(const char *orig_name, errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, const char *domain_component_name, + const char *ldap_search_base, struct sysdb_attrs **usr_attrs, size_t count, struct sysdb_attrs **exp_usr); diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index db6716e..73d4633 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -1148,7 +1148,7 @@ errno_t sysdb_subdomain_delete(struct sysdb_ctx *sysdb, const char *name) static struct sysdb_attrs *match_cn_users(TALLOC_CTX *tmp_ctx, struct sysdb_attrs **usr_attrs, size_t count, - char *dom_basedn) + const char *dom_basedn) { errno_t ret; const char *orig_dn; @@ -1192,25 +1192,25 @@ static struct sysdb_attrs *match_cn_users(TALLOC_CTX *tmp_ctx, return result; } -static struct sysdb_attrs *match_basedn(TALLOC_CTX *tmp_ctx, - struct sss_domain_info *dom, - struct sysdb_attrs **usr_attrs, - size_t count, - const char *dom_basedn, - const char *domain_component_name) +static struct sysdb_attrs *match_non_dc_comp(TALLOC_CTX *tmp_ctx, + struct sss_domain_info *dom, + struct sysdb_attrs **usr_attrs, + size_t count, + struct ldb_dn *ldb_basedn, + const char *basedn, + const char *domain_component_name) { errno_t ret; const char *orig_dn; size_t orig_dn_len; - size_t dom_basedn_len; - struct ldb_dn *ldb_orig_dn; + size_t basedn_len; struct ldb_context *ldb_ctx; - struct sysdb_attrs *result = NULL; - const char *result_dn_str = NULL; - struct ldb_dn *ldb_dom_basedn; - int dom_basedn_comp_num; + struct ldb_dn *ldb_orig_dn; int dn_comp_num; + int basedn_comp_num; const char *component_name; + struct sysdb_attrs *result = NULL; + const char *result_dn_str = NULL; ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); if (ldb_ctx == NULL) { @@ -1218,16 +1218,10 @@ static struct sysdb_attrs *match_basedn(TALLOC_CTX *tmp_ctx, return NULL; } - dom_basedn_len = strlen(dom_basedn); - - ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn); - if (ldb_dom_basedn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); - return NULL; - } + basedn_len = strlen(basedn); - dom_basedn_comp_num = ldb_dn_get_comp_num(ldb_dom_basedn); - dom_basedn_comp_num++; + basedn_comp_num = ldb_dn_get_comp_num(ldb_basedn); + basedn_comp_num++; for (size_t c = 0; c < count; c++) { ret = sysdb_attrs_get_string(usr_attrs[c], SYSDB_ORIG_DN, &orig_dn); @@ -1237,12 +1231,12 @@ static struct sysdb_attrs *match_basedn(TALLOC_CTX *tmp_ctx, } orig_dn_len = strlen(orig_dn); - if (orig_dn_len > dom_basedn_len + if (orig_dn_len > basedn_len /* Does the user's original DN with the non-domain part * stripped match the domain base DN? */ - && strcasecmp(orig_dn + (orig_dn_len - dom_basedn_len), - dom_basedn) == 0) { + && strcasecmp(orig_dn + (orig_dn_len - basedn_len), + basedn) == 0) { ldb_orig_dn = ldb_dn_new(tmp_ctx, ldb_ctx, orig_dn); if (ldb_orig_dn == NULL) { DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed"); @@ -1250,14 +1244,16 @@ static struct sysdb_attrs *match_basedn(TALLOC_CTX *tmp_ctx, } dn_comp_num = ldb_dn_get_comp_num(ldb_orig_dn); - if (dn_comp_num > dom_basedn_comp_num) { + if (dn_comp_num > basedn_comp_num) { component_name = ldb_dn_get_component_name(ldb_orig_dn, - (dn_comp_num - dom_basedn_comp_num)); + (dn_comp_num - basedn_comp_num)); DEBUG(SSSDBG_TRACE_ALL, "Comparing [%s] and [%s].\n", component_name, domain_component_name); - /* Does the original DN's pre-base DN component match this - * domain's component? + /* If the component is NOT a DC component, then the entry + * must come from our domain, perhaps from a child container. + * If it matched the DC component, the entry was from a child + * subdomain different from this one. */ if (component_name != NULL && strcasecmp(component_name, @@ -1280,8 +1276,104 @@ static struct sysdb_attrs *match_basedn(TALLOC_CTX *tmp_ctx, return result; } +static struct sysdb_attrs *match_basedn(TALLOC_CTX *tmp_ctx, + struct sss_domain_info *dom, + struct sysdb_attrs **usr_attrs, + size_t count, + const char *dom_basedn, + const char *domain_component_name) +{ + struct ldb_context *ldb_ctx; + struct ldb_dn *ldb_dom_basedn; + + ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); + if (ldb_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); + return NULL; + } + + + ldb_dom_basedn = ldb_dn_new(tmp_ctx, ldb_ctx, dom_basedn); + if (ldb_dom_basedn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); + return NULL; + } + + return match_non_dc_comp(tmp_ctx, dom, + usr_attrs, count, + ldb_dom_basedn, dom_basedn, + domain_component_name); +} + +static struct sysdb_attrs *match_search_base(TALLOC_CTX *tmp_ctx, + struct sss_domain_info *dom, + const char *domain_component_name, + const char *domain_search_base, + struct sysdb_attrs **usr_attrs, + size_t count) +{ + bool ok; + const char *search_base; + struct ldb_context *ldb_ctx; + struct sysdb_attrs *result = NULL; + struct ldb_dn *ldb_search_base; + int search_base_comp_num; + int non_dc_comp_num; + const char *component_name; + + ldb_ctx = sysdb_ctx_get_ldb(dom->sysdb); + if (ldb_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing ldb context.\n"); + return NULL; + } + + ldb_search_base = ldb_dn_new(tmp_ctx, ldb_ctx, domain_search_base); + if (ldb_search_base == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); + return NULL; + } + + /* strip non-DC components from the search base */ + search_base_comp_num = ldb_dn_get_comp_num(ldb_search_base); + for (non_dc_comp_num = 0; + non_dc_comp_num < search_base_comp_num; + non_dc_comp_num++) { + + component_name = ldb_dn_get_component_name(ldb_search_base, + non_dc_comp_num); + if (strcmp(domain_component_name, component_name) == 0) { + break; + } + } + + if (non_dc_comp_num == search_base_comp_num) { + return NULL; + } + + ok = ldb_dn_remove_child_components(ldb_search_base, non_dc_comp_num); + if (!ok) { + return NULL; + } + + search_base = ldb_dn_get_linearized(ldb_search_base); + if (search_base == NULL) { + return NULL; + } + + result = match_cn_users(tmp_ctx, usr_attrs, count, search_base); + if (result == NULL) { + result = match_non_dc_comp(tmp_ctx, dom, + usr_attrs, count, + ldb_search_base, search_base, + domain_component_name); + } + + return result; +} + errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, const char *domain_component_name, + const char *domain_search_base, struct sysdb_attrs **usr_attrs, size_t count, struct sysdb_attrs **exp_usr) @@ -1292,6 +1384,7 @@ errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, struct sysdb_attrs *result = NULL; if (dom == NULL || domain_component_name == NULL + || domain_search_base == NULL || usr_attrs == NULL || count == 0) { return EINVAL; } @@ -1310,12 +1403,18 @@ errno_t sysdb_try_to_find_expected_dn(struct sss_domain_info *dom, } result = match_cn_users(tmp_ctx, usr_attrs, count, dom_basedn); + if (result == NULL) { result = match_basedn(tmp_ctx, dom, usr_attrs, count, dom_basedn, domain_component_name); } if (result == NULL) { + result = match_search_base(tmp_ctx, dom, domain_component_name, + domain_search_base, usr_attrs, count); + } + + if (result == NULL) { DEBUG(SSSDBG_OP_FAILURE, "No matching DN found.\n"); ret = ENOENT; goto done; diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 45fc007..2ed2c36 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2947,7 +2947,9 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "Expected one user entry and got %zu\n", count); - ret = sysdb_try_to_find_expected_dn(state->dom, "dc", usr_attrs, count, + ret = sysdb_try_to_find_expected_dn(state->dom, "dc", + state->sdom->search_bases[0]->basedn, + usr_attrs, count, &state->orig_user); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c index bc34497..67098e3 100644 --- a/src/tests/cmocka/test_sysdb_subdomains.c +++ b/src/tests/cmocka/test_sysdb_subdomains.c @@ -520,7 +520,9 @@ static void test_try_to_find_expected_dn(void **state) int ret; struct sysdb_attrs *result; struct sysdb_attrs *usr_attrs[10] = { NULL }; + struct sysdb_attrs *dom_usr_attrs[10] = { NULL }; struct sss_domain_info *dom; + char *dom_basedn; struct subdom_test_ctx *test_ctx = talloc_get_type(*state, struct subdom_test_ctx); @@ -528,6 +530,9 @@ static void test_try_to_find_expected_dn(void **state) "child2.test_sysdb_subdomains_2", true); assert_non_null(dom); + ret = domain_to_basedn(test_ctx, dom->name, &dom_basedn); + assert_int_equal(ret, EOK); + usr_attrs[0] = sysdb_new_attrs(test_ctx); assert_non_null(usr_attrs[0]); @@ -535,13 +540,13 @@ static void test_try_to_find_expected_dn(void **state) "uid=user,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2"); assert_int_equal(ret, EOK); - ret = sysdb_try_to_find_expected_dn(NULL, NULL, NULL, 0, NULL); + ret = sysdb_try_to_find_expected_dn(NULL, NULL, NULL, NULL, 0, NULL); assert_int_equal(ret, EINVAL); - ret = sysdb_try_to_find_expected_dn(dom, "dc", usr_attrs, 1, &result); + ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 1, &result); assert_int_equal(ret, ENOENT); - ret = sysdb_try_to_find_expected_dn(dom, "xy", usr_attrs, 1, &result); + ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 1, &result); assert_int_equal(ret, EOK); assert_ptr_equal(result, usr_attrs[0]); @@ -559,11 +564,11 @@ static void test_try_to_find_expected_dn(void **state) "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2"); assert_int_equal(ret, EOK); - ret = sysdb_try_to_find_expected_dn(dom, "dc", usr_attrs, 3, &result); + ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result); assert_int_equal(ret, EOK); assert_ptr_equal(result, usr_attrs[1]); - ret = sysdb_try_to_find_expected_dn(dom, "xy", usr_attrs, 3, &result); + ret = sysdb_try_to_find_expected_dn(dom, "xy", dom_basedn, usr_attrs, 3, &result); assert_int_equal(ret, ENOENT); /* Make sure cn=users match is preferred */ @@ -575,10 +580,35 @@ static void test_try_to_find_expected_dn(void **state) "uid=user2,cn=abc,cn=users,dc=child2,dc=test_sysdb_subdomains_2"); assert_int_equal(ret, EOK); - ret = sysdb_try_to_find_expected_dn(dom, "dc", usr_attrs, 3, &result); + ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, usr_attrs, 3, &result); assert_int_equal(ret, EOK); assert_ptr_equal(result, usr_attrs[2]); + /* test a case where the domain name does not match the basedn */ + dom->name = discard_const("default"); + dom_usr_attrs[0] = usr_attrs[0]; + + ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 1, &result); + assert_int_equal(ret, ENOENT); + + dom_usr_attrs[1] = usr_attrs[1]; + dom_usr_attrs[2] = usr_attrs[2]; + + /* Make sure cn=users match is preferred */ + ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result); + assert_int_equal(ret, EOK); + assert_ptr_equal(result, dom_usr_attrs[2]); + + talloc_free(usr_attrs[2]); + usr_attrs[2] = sysdb_new_attrs(test_ctx); + assert_non_null(usr_attrs[2]); + ret = sysdb_attrs_add_string(usr_attrs[2], SYSDB_ORIG_DN, + "uid=user2,cn=abc,dc=c2,dc=child2,dc=test_sysdb_subdomains_2"); + assert_int_equal(ret, EOK); + + ret = sysdb_try_to_find_expected_dn(dom, "dc", dom_basedn, dom_usr_attrs, 3, &result); + assert_int_equal(ret, EOK); + assert_ptr_equal(result, usr_attrs[1]); talloc_free(usr_attrs[0]); talloc_free(usr_attrs[1]);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org