URL: https://github.com/SSSD/sssd/pull/270 Author: mzidek-rh Title: #270: Subdomains direct integration Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/270/head:pr270 git checkout pr270
From 221a0fe432dec10b1ee20b5cbc5d88b5db39f93f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Thu, 4 May 2017 15:10:55 +0200 Subject: [PATCH 1/2] SUBDOMAINS: Add debug messages Add debug messages when 1way or 2way trusts are created. --- src/providers/ad/ad_common.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 1a9d8dc..96f11da 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -312,6 +312,9 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, struct ad_options *ad_options; errno_t ret; + DEBUG(SSSDBG_TRACE_FUNC, "Creating 2way trust with domain '%s'\n", + subdom->name); + ad_options = ad_create_options(mem_ctx, cdb, conf_path, subdom); if (ad_options == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); @@ -349,6 +352,9 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, const char *realm; errno_t ret; + DEBUG(SSSDBG_TRACE_FUNC, "Creating 1way trust with domain '%s'\n", + subdom->name); + ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, subdom); if (ad_options == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); From e695fc0654b5dd0744908d810b4babcd14e8d8e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Tue, 9 May 2017 11:21:02 +0200 Subject: [PATCH 2/2] AD SUBDOMAINS: Fix search bases for child domains When using direct AD integration, child domains did not respect the sssd.conf configuration of search bases. There were few issues all of witch are fixed in this small patch. First problem was that the sdap domain list was not properly inherited from the parent in the child domains and the children always created their own sdap domains lists that were disconnected from the parent context and never used. Second issue was that the child domain did not call the fuction to reinit the search bases after the sdap_domain was added to the list of sdap domains. This caused that child domains always used auto matically detected search bases and never used the configured ones even though they were properly read into the ID options context attached to the subdomain. Also there have been an issue that the sdap search bases were rewritten by the new child domain initialization (this only happened with more than one child domain) because the sdap domain list was 'updated' every time new child domain was initialized, which caused that only the main domain and the last child domain had proper search bases, the others only the autodiscovered ones (becase they were overwriten with the 'update'). Resolves: https://pagure.io/SSSD/sssd/issue/3397 --- src/providers/ad/ad_subdomains.c | 17 +++++++++++++++++ src/providers/ldap/sdap_domain.c | 5 +++++ 2 files changed, 22 insertions(+) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index ef16644..f5c06ae 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -221,6 +221,9 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, ad_id_ctx->sdap_id_ctx->opts = ad_options->id; ad_options->id_ctx = ad_id_ctx; + /* We need to pass the sdap list from parent */ + ad_id_ctx->sdap_id_ctx->opts->sdom = id_ctx->sdap_id_ctx->opts->sdom; + /* use AD plugin */ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res, default_host_dbs, @@ -257,6 +260,13 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, ad_id_ctx->sdap_id_ctx->opts->idmap_ctx = id_ctx->sdap_id_ctx->opts->idmap_ctx; + ret = ad_set_search_bases(ad_options->id, sdom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP search bases for" + "domain '%s'. Will try to use automatically detected search " + "bases.", subdom->name); + } + *_subdom_id_ctx = ad_id_ctx; return EOK; } @@ -621,6 +631,13 @@ ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx, return ret; } + ret = ad_set_search_bases(ctx->ad_id_ctx->ad_options->id, ctx->sdom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "failed to set ldap search bases for" + "domain '%s'. will try to use automatically detected search " + "bases.", ctx->sdom->dom->name); + } + DLIST_FOR_EACH(sditer, ctx->sdom) { if (IS_SUBDOMAIN(sditer->dom) && sditer->pvt == NULL) { ret = ad_subdom_ad_ctx_new(ctx->be_ctx, ctx->ad_id_ctx, diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c index 5cba9df..d384b2e 100644 --- a/src/providers/ldap/sdap_domain.c +++ b/src/providers/ldap/sdap_domain.c @@ -154,6 +154,11 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, parent->name, ret, strerror(ret)); return ret; } + } else if (sditer->search_bases != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "subdomain %s has already initialized search bases\n", + dom->name); + continue; } else { sdom = sditer; }
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
