URL: https://github.com/SSSD/sssd/pull/270 Author: mzidek-rh Title: #270: Subdomains direct integration Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/270/head:pr270 git checkout pr270
From 6e4b18001a00e96084e385623d0c8c7becda77cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Thu, 4 May 2017 15:10:55 +0200 Subject: [PATCH 1/2] SUBDOMAINS: Add debug messages Add debug messages when 1way or 2way trusts are created. --- src/providers/ad/ad_common.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 1a9d8dc0b..84845e285 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -312,6 +312,9 @@ ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, struct ad_options *ad_options; errno_t ret; + DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n", + subdom->name); + ad_options = ad_create_options(mem_ctx, cdb, conf_path, subdom); if (ad_options == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); @@ -349,6 +352,9 @@ ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, const char *realm; errno_t ret; + DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n", + subdom->name); + ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, subdom); if (ad_options == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); From 7dc73651e8bb01e3f1f1a1ae792e649af33a0013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Tue, 9 May 2017 11:21:02 +0200 Subject: [PATCH 2/2] AD SUBDOMAINS: Fix search bases for child domains When using direct AD integration, child domains did not respect the sssd.conf configuration of search bases. There were few issues all of which are fixed in this small patch. First problem was that the sdap domain list was not properly inherited from the parent in the child domains and the children always created their own sdap domains lists that were disconnected from the parent context and never used. Second issue was that the child domain did not call the function to reinit the search bases after the sdap_domain was added to the list of sdap domains. This caused that child domains always used automatically detected search bases and never used the configured ones even though they were properly read into the ID options context attached to the subdomain. Also there has been an issue that the sdap search bases were rewritten by the new child domain initialization (this only happened with more than one child domain) because the sdap domain list was 'updated' every time a new child domain was initialized, which caused that only the main domain and the last child domain had proper search bases, the others only the autodiscoverd ones (because they were overwritten with the 'update'). Resolves: https://pagure.io/SSSD/sssd/issue/3397 --- src/providers/ad/ad_subdomains.c | 17 +++++++++++++++++ src/providers/ldap/sdap_domain.c | 5 +++++ 2 files changed, 22 insertions(+) diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c index ef166446e..f5c06aef8 100644 --- a/src/providers/ad/ad_subdomains.c +++ b/src/providers/ad/ad_subdomains.c @@ -221,6 +221,9 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, ad_id_ctx->sdap_id_ctx->opts = ad_options->id; ad_options->id_ctx = ad_id_ctx; + /* We need to pass the sdap list from parent */ + ad_id_ctx->sdap_id_ctx->opts->sdom = id_ctx->sdap_id_ctx->opts->sdom; + /* use AD plugin */ srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res, default_host_dbs, @@ -257,6 +260,13 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, ad_id_ctx->sdap_id_ctx->opts->idmap_ctx = id_ctx->sdap_id_ctx->opts->idmap_ctx; + ret = ad_set_search_bases(ad_options->id, sdom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP search bases for" + "domain '%s'. Will try to use automatically detected search " + "bases.", subdom->name); + } + *_subdom_id_ctx = ad_id_ctx; return EOK; } @@ -621,6 +631,13 @@ ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx, return ret; } + ret = ad_set_search_bases(ctx->ad_id_ctx->ad_options->id, ctx->sdom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "failed to set ldap search bases for" + "domain '%s'. will try to use automatically detected search " + "bases.", ctx->sdom->dom->name); + } + DLIST_FOR_EACH(sditer, ctx->sdom) { if (IS_SUBDOMAIN(sditer->dom) && sditer->pvt == NULL) { ret = ad_subdom_ad_ctx_new(ctx->be_ctx, ctx->ad_id_ctx, diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c index 5cba9df0f..d384b2e4a 100644 --- a/src/providers/ldap/sdap_domain.c +++ b/src/providers/ldap/sdap_domain.c @@ -154,6 +154,11 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, parent->name, ret, strerror(ret)); return ret; } + } else if (sditer->search_bases != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "subdomain %s has already initialized search bases\n", + dom->name); + continue; } else { sdom = sditer; }
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
