URL: https://github.com/SSSD/sssd/pull/5251
Author: pbrezina
Title: #5251: subdomains: allow to inherit case_sensitive=Preserving
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5251/head:pr5251
git checkout pr5251
From df998e5b245bbb8a9e5fdd49ad137913d7b49fe8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 20 Jul 2020 13:06:51 +0200
Subject: [PATCH 1/5] man: add auto_private_groups to subdomain_inherit
This option can be inherited since 41c497b8b9e6efb9f2aa8e4cc869d465c3b954b3
---
src/man/sssd.conf.5.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 8b330de584..16632f9900 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3371,6 +3371,9 @@ pam_gssapi_services = sudo, sudo-i
ldap_krb5_keytab (the value of krb5_keytab will be
used if ldap_krb5_keytab is not set explicitly)
</para>
+ <para>
+ auto_private_groups
+ </para>
<para>
Example:
<programlisting>
From 432658dd495629716ac2b2582c22f8fdbaa5e1e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 21 Jul 2020 12:08:27 +0200
Subject: [PATCH 2/5] subdomains: allow to inherit case_sensitive=Preserving
Resolves: https://github.com/SSSD/sssd/issues/5250
:feature: `case_sensitive` option can be now inherited by subdomains
---
src/db/sysdb_subdomains.c | 10 ++++++++--
src/man/sssd.conf.5.xml | 3 +++
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index 03ba121646..ed3e7055c3 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -157,6 +157,14 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->ignore_group_members = parent->ignore_group_members;
}
+ /* Inherit case_sensitive. All subdomains are always case insensitive,
+ * but we want to inherit case preserving which is set with
+ * case_sensitive=Preserving. */
+ inherit_option = string_in_list(CONFDB_DOMAIN_CASE_SENSITIVE,
+ parent->sd_inherit, false);
+ dom->case_sensitive = false;
+ dom->case_preserve = inherit_option ? parent->case_preserve : false;
+
dom->trust_direction = trust_direction;
/* If the parent domain explicitly limits ID ranges, the subdomain
* should honour the limits as well.
@@ -168,14 +176,12 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
dom->cache_credentials_min_ff_length =
parent->cache_credentials_min_ff_length;
dom->cached_auth_timeout = parent->cached_auth_timeout;
- dom->case_sensitive = false;
dom->user_timeout = parent->user_timeout;
dom->group_timeout = parent->group_timeout;
dom->netgroup_timeout = parent->netgroup_timeout;
dom->service_timeout = parent->service_timeout;
dom->resolver_timeout = parent->resolver_timeout;
dom->names = parent->names;
-
dom->override_homedir = parent->override_homedir;
dom->fallback_homedir = parent->fallback_homedir;
dom->subdomain_homedir = parent->subdomain_homedir;
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 16632f9900..b4d3f08c80 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3374,6 +3374,9 @@ pam_gssapi_services = sudo, sudo-i
<para>
auto_private_groups
</para>
+ <para>
+ case_sensitive
+ </para>
<para>
Example:
<programlisting>
From c36bd72e5413b1093eca832942b10da668e8600c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 21 Jul 2020 12:35:20 +0200
Subject: [PATCH 3/5] subdomains: allow to set case_sensitive=Preserving in
subdomain section
Resolves: https://github.com/SSSD/sssd/issues/5250
:feature: `case_sensitive` can be now set separately for each
subdomain in `[domain/parent/subdomain]` section
:feature: `case_sensitive=Preserving` can now be set for trusted domains with AD provider
---
src/db/sysdb_subdomains.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
index ed3e7055c3..c0a676d491 100644
--- a/src/db/sysdb_subdomains.c
+++ b/src/db/sysdb_subdomains.c
@@ -221,6 +221,7 @@ check_subdom_config_file(struct confdb_ctx *confdb,
struct sss_domain_info *subdomain)
{
char *sd_conf_path;
+ char *case_sensitive_opt;
TALLOC_CTX *tmp_ctx;
errno_t ret;
@@ -272,6 +273,38 @@ check_subdom_config_file(struct confdb_ctx *confdb,
goto done;
}
+ /* case_sensitive=Preserving */
+ ret = confdb_get_string(confdb, tmp_ctx, sd_conf_path,
+ CONFDB_DOMAIN_CASE_SENSITIVE, NULL,
+ &case_sensitive_opt);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to get %s option for the subdomain: %s\n",
+ CONFDB_DOMAIN_CASE_SENSITIVE, subdomain->name);
+ goto done;
+ }
+
+ if (case_sensitive_opt != NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS, "%s/%s has value %s\n", sd_conf_path,
+ CONFDB_DOMAIN_CASE_SENSITIVE, case_sensitive_opt);
+ if (strcasecmp(case_sensitive_opt, "true") == 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Warning: subdomain can not be set as case-sensitive.\n");
+ subdomain->case_sensitive = false;
+ subdomain->case_preserve = false;
+ } else if (strcasecmp(case_sensitive_opt, "false") == 0) {
+ subdomain->case_sensitive = false;
+ subdomain->case_preserve = false;
+ } else if (strcasecmp(case_sensitive_opt, "preserving") == 0) {
+ subdomain->case_sensitive = false;
+ subdomain->case_preserve = true;
+ } else {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE);
+ goto done;
+ }
+ }
+
ret = EOK;
done:
talloc_free(tmp_ctx);
From bc5541b6c1eef9bbc17472cfcdeb6012db55bf0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 21 Jul 2020 12:35:50 +0200
Subject: [PATCH 4/5] subdomains: allow to inherit case_sensitive=Preserving
for IPA
Resolves: https://github.com/SSSD/sssd/issues/5250
:feature: `case_sensitive=Preserving` can now be set for trusted domains
with IPA provider. However, the option needs to be set to `Preserving`
on both client and the server for it to take effect.
---
src/providers/ipa/ipa_s2n_exop.c | 81 +++++++++++++++++++-------------
1 file changed, 48 insertions(+), 33 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index fb93c6233a..08b1113fa0 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -844,6 +844,46 @@ static errno_t add_v1_group_data(BerElement *ber,
return ret;
}
+static char *s2n_response_to_attrs_fqname(TALLOC_CTX *mem_ctx,
+ enum extdom_protocol protocol,
+ const char *domain_name,
+ const char *name)
+{
+ char *lc_name;
+ char *out_name;
+
+ if (protocol == EXTDOM_V0) {
+ /* Compatibility with older IPA servers that may use winbind instead
+ * of SSSD's server mode.
+ *
+ * Winbind is not consistent with the case of the returned user
+ * name. In general all names should be lower case but there are
+ * bug in some version of winbind which might lead to upper case
+ * letters in the name. To be on the safe side we explicitly
+ * lowercase the name.
+ */
+
+ lc_name = sss_tc_utf8_str_tolower(NULL, name);
+ if (lc_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
+ return NULL;
+ }
+
+ out_name = sss_create_internal_fqname(mem_ctx, lc_name, domain_name);
+ talloc_free(lc_name);
+ } else {
+ /* Keep the original casing to support case_sensitive=Preserving */
+ out_name = sss_create_internal_fqname(mem_ctx, name, domain_name);
+ }
+
+ if (out_name == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
+ return NULL;
+ }
+
+ return out_name;
+}
+
static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct req_input *req_input,
struct resp_attrs *attrs,
@@ -865,7 +905,6 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
enum response_types type;
char *domain_name = NULL;
char *name = NULL;
- char *lc_name = NULL;
uid_t uid;
gid_t gid;
struct resp_attrs *attrs = NULL;
@@ -920,23 +959,11 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Winbind is not consistent with the case of the returned user
- * name. In general all names should be lower case but there are
- * bug in some version of winbind which might lead to upper case
- * letters in the name. To be on the safe side we explicitly
- * lowercase the name. */
- lc_name = sss_tc_utf8_str_tolower(attrs, name);
- if (lc_name == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- attrs->a.user.pw_name = sss_create_internal_fqname(attrs,
- lc_name,
- domain_name);
- talloc_free(lc_name);
+ attrs->a.user.pw_name = s2n_response_to_attrs_fqname(attrs,
+ protocol,
+ domain_name,
+ name);
if (attrs->a.user.pw_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
ret = ENOMEM;
goto done;
}
@@ -969,23 +996,11 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Winbind is not consistent with the case of the returned user
- * name. In general all names should be lower case but there are
- * bug in some version of winbind which might lead to upper case
- * letters in the name. To be on the safe side we explicitly
- * lowercase the name. */
- lc_name = sss_tc_utf8_str_tolower(attrs, name);
- if (lc_name == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- attrs->a.group.gr_name = sss_create_internal_fqname(attrs,
- lc_name,
- domain_name);
- talloc_free(lc_name);
+ attrs->a.group.gr_name = s2n_response_to_attrs_fqname(attrs,
+ protocol,
+ domain_name,
+ name);
if (attrs->a.group.gr_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
ret = ENOMEM;
goto done;
}
From 0a1207633ddc03299332f9b5d23813eda13551bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 25 Jan 2021 11:44:40 +0100
Subject: [PATCH 5/5] man: update case_sensitive documentation to reflect
changes for subdomains
---
src/man/sssd.conf.5.xml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index b4d3f08c80..812d96ebda 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -3336,10 +3336,21 @@ pam_gssapi_services = sudo, sudo-i
protocol names) are still lowercased in
the output.
</para>
+ <para>
+ If you want to set this value for
+ trusted domain with IPA provider, you
+ need to set it on both the client and
+ SSSD on the server.
+ </para>
</listitem>
</varlistentry>
</variablelist>
</para>
+ <para>
+ This option can be also set per subdomain or
+ inherited via
+ <emphasis>subdomain_inherit</emphasis>.
+ </para>
<para>
Default: True (False for AD provider)
</para>
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
