From 3abbd7569f96a980676e0323d95301c50acdf062 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Wed, 22 Mar 2017 13:06:08 +0100

Subject: [PATCH 70/72] LDAP: save non-POSIX users in application domains

Related to:

https://pagure.io/SSSD/sssd/issue/3310

If a user being saved by the LDAP provider does not have a UID or GID

and the domain type is application, we save the user entry as non-POSIX.

Reviewed-by: Sumit Bose <sbose@redhat.com>

---

 src/providers/ldap/sdap_async_users.c | 72 +++++++++++++++++++++++++++--------

 1 file changed, 57 insertions(+), 15 deletions(-)

diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c

index 3d957ab584865f74499bc732395388a78965fe5f..265cd7e4f7929c295d5bdcfbd781221b74601f13 100644

--- a/src/providers/ldap/sdap_async_users.c

+++ b/src/providers/ldap/sdap_async_users.c

@@ -112,6 +112,28 @@ done:

     return ret;

 }

+static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs,

+                                       const char *pkey)

+{

+    errno_t ret;

+

+    ret = sysdb_attrs_add_uint32(attrs, pkey, 0);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Failed to add a zero ID to a non-posix object!\n");

+        return ret;

+    }

+

+    ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, false);

+    if (ret != EOK) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "Error: Failed to mark objects as non-posix!\n");

+        return ret;

+    }

+

+    return EOK;

+}

+

 /* FIXME: support storing additional attributes */

 int sdap_save_user(TALLOC_CTX *memctx,

                    struct sdap_options *opts,

@@ -130,8 +152,8 @@ int sdap_save_user(TALLOC_CTX *memctx,

     const char *homedir;

     const char *shell;

     const char *orig_dn = NULL;

-    uid_t uid;

-    gid_t gid;

+    uid_t uid = 0;

+    gid_t gid = 0;

     struct sysdb_attrs *user_attrs;

     char *upn = NULL;

     size_t i;

@@ -146,6 +168,7 @@ int sdap_save_user(TALLOC_CTX *memctx,

     size_t c;

     char *p1;

     char *p2;

+    bool is_posix = true;

     DEBUG(SSSDBG_TRACE_FUNC, "Save user\n");

@@ -295,19 +318,29 @@ int sdap_save_user(TALLOC_CTX *memctx,

         ret = sysdb_attrs_get_uint32_t(attrs,

                                        opts->user_map[SDAP_AT_USER_UID].sys_name,

                                        &uid);

-        if (ret != EOK) {

+        if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) {

+            DEBUG(SSSDBG_TRACE_INTERNAL,

+                  "Marking object as non-posix and setting ID=0!\n");

+            ret = sdap_set_non_posix_flag(user_attrs,

+                    opts->user_map[SDAP_AT_USER_UID].sys_name);

+            if (ret != EOK) {

+                goto done;

+            }

+            is_posix = false;

+        } else if (ret != EOK) {

             DEBUG(SSSDBG_CRIT_FAILURE,

-                  "no uid provided for [%s] in domain [%s].\n",

+                  "Cannot retrieve UID for [%s] in domain [%s].\n",

                    user_name, dom->name);

-            ret = EINVAL;

+            ret = ERR_NO_POSIX;

             goto done;

         }

     }

-    /* check that the uid is valid for this domain */

-    if (OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {

-            DEBUG(SSSDBG_OP_FAILURE,

-                  "User [%s] filtered out! (uid out of range)\n",

-                      user_name);

+

+    /* check that the uid is valid for this domain if the user is a POSIX one */

+    if (is_posix == true && OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) {

+        DEBUG(SSSDBG_OP_FAILURE,

+              "User [%s] filtered out! (uid out of range)\n",

+              user_name);

         ret = EINVAL;

         goto done;

     }

@@ -349,17 +382,26 @@ int sdap_save_user(TALLOC_CTX *memctx,

         ret = sysdb_attrs_get_uint32_t(attrs,

                                        opts->user_map[SDAP_AT_USER_GID].sys_name,

                                        &gid;;

-        if (ret != EOK) {

+        if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) {

+            DEBUG(SSSDBG_TRACE_INTERNAL,

+                  "Marking object as non-posix and setting ID=0!\n");

+            ret = sdap_set_non_posix_flag(attrs,

+                    opts->user_map[SDAP_AT_USER_GID].sys_name);

+            if (ret != EOK) {

+                goto done;

+            }

+            is_posix = false;

+        } else if (ret != EOK) {

             DEBUG(SSSDBG_CRIT_FAILURE,

-                  "no gid provided for [%s] in domain [%s].\n",

-                  user_name, dom->name);

-            ret = EINVAL;

+                  "Cannot retrieve GID for [%s] in domain [%s].\n",

+                   user_name, dom->name);

+            ret = ERR_NO_POSIX;

             goto done;

         }

     }

     /* check that the gid is valid for this domain */

-    if (IS_SUBDOMAIN(dom) == false &&

+    if (is_posix == true && IS_SUBDOMAIN(dom) == false &&

             OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) {

         DEBUG(SSSDBG_CRIT_FAILURE,

               "User [%s] filtered out! (primary gid out of range)\n",

-- 

2.9.3