From 118860519777791368520f4e92ecbf2ef60cb7db Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Mon, 20 Nov 2017 16:45:45 +0100

Subject: [PATCH 67/67] ipa: compare DNs instead of group names in

 ipa_s2n_save_objects()

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

If group names are used to compare the current list of group memberships

returned by the server with the one from the cache some groups might end

up in the wrong result list if group names are overridden. This

ambiguity can be resolved by using the DNs of the cached objects.

Related to https://pagure.io/SSSD/sssd/issue/3579

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

(cherry picked from commit a52226c651308a0a7732544b492eb4db56b84f1d)

---

 src/providers/ipa/ipa_s2n_exop.c | 31 ++++++++++++-------------------

 1 file changed, 12 insertions(+), 19 deletions(-)

diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c

index 49c393e9a1eb19ab683949cf633a6838274bc0fe..8b97f78620f19b0708e8a480cb72fd7f12d96dfb 100644

--- a/src/providers/ipa/ipa_s2n_exop.c

+++ b/src/providers/ipa/ipa_s2n_exop.c

@@ -2185,10 +2185,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,

     struct ldb_result *res;

     enum sysdb_member_type type;

     char **sysdb_grouplist;

-    char **add_groups;

     char **add_groups_dns;

-    char **del_groups;

     char **del_groups_dns;

+    char **groups_dns;

     bool in_transaction = false;

     int tret;

     struct sysdb_attrs *gid_override_attrs = NULL;

@@ -2514,33 +2513,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,

             }

             if (attrs->response_type == RESP_USER_GROUPLIST) {

-                ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,

-                                          &sysdb_grouplist);

+                ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name,

+                                             &sysdb_grouplist);

                 if (ret != EOK) {

                     DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");

                     goto done;

                 }

-                ret = diff_string_lists(tmp_ctx, attrs->groups,

-                                        sysdb_grouplist, &add_groups,

-                                        &del_groups, NULL);

+                ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns);

+                if (ret != EOK) {

+                    DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");

+                    goto done;

+                }

+

+                ret = diff_string_lists(tmp_ctx, groups_dns,

+                                        sysdb_grouplist, &add_groups_dns,

+                                        &del_groups_dns, NULL);

                 if (ret != EOK) {

                     DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");

                     goto done;

                 }

-                ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);

-                if (ret != EOK) {

-                    DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");

-                    goto done;

-                }

-

-                ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);

-                if (ret != EOK) {

-                    DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");

-                    goto done;

-                }

-

                 DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",

                                              name);

                 ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,

-- 

2.14.3