[SSSD] [sssd PR#850][opened] sudo: use proper datetime for default modifyTimestamp value

[pbrezina]

   URL: https://github.com/SSSD/sssd/pull/850
Author: pbrezina
 Title: #850: sudo: use proper datetime for default modifyTimestamp value
Action: opened

PR body:
"""
The current default was simply "1", however OpenLDAP server was unable
to compare modifyTimestamp attribute to simple number. A proper datetime
is required by OpenLDAP.

It worked correctly on 389-ds.

Steps to reproduce:
1. install openldap server
2. run sssd
3. there are no sudo rules on the server and there are no cached objects
4. you'll see in the logs that sudo smart refresh uses 
`(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of 
proper datetime value)

Resolves:
https://pagure.io/SSSD/sssd/issue/4046
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/850/head:pr850
git checkout pr850

From b118540abd3b558615f68404dfff1f26429496f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Wed, 17 Jul 2019 11:57:23 +0200
Subject: [PATCH] sudo: use proper datetime for default modifyTimestamp value

The current default was simply "1", however OpenLDAP server was unable
to compare modifyTimestamp attribute to simple number. A proper datetime
is required by OpenLDAP.

It worked correctly on 389-ds.

Steps to reproduce:
1. install openldap server
2. run sssd
3. there are no sudo rules on the server and there are no cached objects
4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value)

Resolves:
https://pagure.io/SSSD/sssd/issue/4046
---
 src/providers/ldap/sdap_sudo_shared.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
index a00d8e6a92..251584024c 100644
--- a/src/providers/ldap/sdap_sudo_shared.c
+++ b/src/providers/ldap/sdap_sudo_shared.c
@@ -127,11 +127,24 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
 static char *
 sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
                   unsigned long usn,
-                  const char *leftover)
+                  const char *leftover,
+                  bool supports_usn)
 {
     const char *str = leftover == NULL ? "" : leftover;
     char *newusn;
 
+    /* This is a fresh start and server uses modifyTimestamp. We need to
+     * provide proper datetime value. */
+    if (!supports_usn && usn == 0) {
+        newusn = talloc_strdup(mem_ctx, "00000101000000Z");
+        if (newusn == NULL) {
+            DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
+            return NULL;
+        }
+
+        return newusn;
+    }
+
     /* We increment USN number so that we can later use simplify filter
      * (just usn >= last+1 instead of usn >= last && usn != last).
      */
@@ -182,7 +195,8 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
         srv_opts->last_usn = usn_number;
     }
 
-    newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr);
+    newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr,
+                               srv_opts->supports_usn);
     if (newusn == NULL) {
         return;
     }

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org