URL: https://github.com/SSSD/sssd/pull/850 Author: pbrezina Title: #850: sudo: use proper datetime for default modifyTimestamp value Action: opened
PR body: """ The current default was simply "1", however OpenLDAP server was unable to compare modifyTimestamp attribute to simple number. A proper datetime is required by OpenLDAP. It worked correctly on 389-ds. Steps to reproduce: 1. install openldap server 2. run sssd 3. there are no sudo rules on the server and there are no cached objects 4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value) Resolves: https://pagure.io/SSSD/sssd/issue/4046 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/850/head:pr850 git checkout pr850
From b118540abd3b558615f68404dfff1f26429496f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Wed, 17 Jul 2019 11:57:23 +0200 Subject: [PATCH] sudo: use proper datetime for default modifyTimestamp value The current default was simply "1", however OpenLDAP server was unable to compare modifyTimestamp attribute to simple number. A proper datetime is required by OpenLDAP. It worked correctly on 389-ds. Steps to reproduce: 1. install openldap server 2. run sssd 3. there are no sudo rules on the server and there are no cached objects 4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value) Resolves: https://pagure.io/SSSD/sssd/issue/4046 --- src/providers/ldap/sdap_sudo_shared.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c index a00d8e6a92..251584024c 100644 --- a/src/providers/ldap/sdap_sudo_shared.c +++ b/src/providers/ldap/sdap_sudo_shared.c @@ -127,11 +127,24 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx, static char * sdap_sudo_new_usn(TALLOC_CTX *mem_ctx, unsigned long usn, - const char *leftover) + const char *leftover, + bool supports_usn) { const char *str = leftover == NULL ? "" : leftover; char *newusn; + /* This is a fresh start and server uses modifyTimestamp. We need to + * provide proper datetime value. */ + if (!supports_usn && usn == 0) { + newusn = talloc_strdup(mem_ctx, "00000101000000Z"); + if (newusn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n"); + return NULL; + } + + return newusn; + } + /* We increment USN number so that we can later use simplify filter * (just usn >= last+1 instead of usn >= last && usn != last). */ @@ -182,7 +195,8 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, srv_opts->last_usn = usn_number; } - newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr); + newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr, + srv_opts->supports_usn); if (newusn == NULL) { return; }
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org