|
|
ecf709 |
From 54790675d0fd0627f7db8449ef97d59c0632006e Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
Date: Mon, 24 Apr 2017 10:13:44 +0200
|
|
|
ecf709 |
Subject: [PATCH 119/119] AD: Make ad_account_can_shortcut() reusable by SSSD
|
|
|
ecf709 |
on an IPA server
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3318
|
|
|
ecf709 |
|
|
|
ecf709 |
The ad_account_can_shortcut() function is helpful to avoid unnecessary
|
|
|
ecf709 |
searches when SSSD is configured with an Active Directory domain that
|
|
|
ecf709 |
uses ID-mapping in the sense that if we find that an ID is outside our
|
|
|
ecf709 |
range, we can just abort the search in this domain and carry on.
|
|
|
ecf709 |
|
|
|
ecf709 |
This function was only used in the AD provider functions which are used
|
|
|
ecf709 |
when SSSD is enrolled direcly with an AD server. This patch moves the
|
|
|
ecf709 |
function to a codepath that is shared between directly enrolled SSSD and
|
|
|
ecf709 |
SSSD running on an IPA server.
|
|
|
ecf709 |
|
|
|
ecf709 |
Apart from moving the code, there are some minor changes to the function
|
|
|
ecf709 |
signature, namely the domain is passed as as struct (previously the
|
|
|
ecf709 |
domain name from the DP input was passed).
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit dfe05f505dcfea16e7d66ca1a44206aa2570e861)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/ad/ad_id.c | 162 ++++++++++++++++++++++++-----------------------
|
|
|
ecf709 |
1 file changed, 84 insertions(+), 78 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c
|
|
|
ecf709 |
index 8f26cb8744d2372c6180342c0d1bca025b16f52c..d1f6c444f5ddbcbbac6ff7f41fb6c8bf9ca976cb 100644
|
|
|
ecf709 |
--- a/src/providers/ad/ad_id.c
|
|
|
ecf709 |
+++ b/src/providers/ad/ad_id.c
|
|
|
ecf709 |
@@ -50,6 +50,77 @@ disable_gc(struct ad_options *ad_options)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx,
|
|
|
ecf709 |
+ struct sss_domain_info *domain,
|
|
|
ecf709 |
+ int filter_type,
|
|
|
ecf709 |
+ const char *filter_value)
|
|
|
ecf709 |
+{
|
|
|
ecf709 |
+ struct sss_domain_info *dom_head = NULL;
|
|
|
ecf709 |
+ struct sss_domain_info *sid_dom = NULL;
|
|
|
ecf709 |
+ enum idmap_error_code err;
|
|
|
ecf709 |
+ char *sid = NULL;
|
|
|
ecf709 |
+ const char *csid = NULL;
|
|
|
ecf709 |
+ uint32_t id;
|
|
|
ecf709 |
+ bool shortcut = false;
|
|
|
ecf709 |
+ errno_t ret;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name,
|
|
|
ecf709 |
+ domain->domain_id)) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ switch (filter_type) {
|
|
|
ecf709 |
+ case BE_FILTER_IDNUM:
|
|
|
ecf709 |
+ /* convert value to ID */
|
|
|
ecf709 |
+ errno = 0;
|
|
|
ecf709 |
+ id = strtouint32(filter_value, NULL, 10);
|
|
|
ecf709 |
+ if (errno != 0) {
|
|
|
ecf709 |
+ ret = errno;
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to "
|
|
|
ecf709 |
+ "number [%d]: %s\n", ret, strerror(ret));
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ /* convert the ID to its SID equivalent */
|
|
|
ecf709 |
+ err = sss_idmap_unix_to_sid(idmap_ctx->map, id, &sid;;
|
|
|
ecf709 |
+ if (err != IDMAP_SUCCESS) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
|
|
|
ecf709 |
+ "[%s]\n", filter_value, idmap_error_string(err));
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ /* fall through */
|
|
|
ecf709 |
+ SSS_ATTRIBUTE_FALLTHROUGH;
|
|
|
ecf709 |
+ case BE_FILTER_SECID:
|
|
|
ecf709 |
+ csid = sid == NULL ? filter_value : sid;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ dom_head = get_domains_head(domain);
|
|
|
ecf709 |
+ if (dom_head == NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find domain head\n");
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ sid_dom = find_domain_by_sid(dom_head, csid);
|
|
|
ecf709 |
+ if (sid_dom == NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_OP_FAILURE, "Invalid domain for SID:%s\n", csid);
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (strcasecmp(sid_dom->name, domain->name) != 0) {
|
|
|
ecf709 |
+ shortcut = true;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ break;
|
|
|
ecf709 |
+ default:
|
|
|
ecf709 |
+ break;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+done:
|
|
|
ecf709 |
+ if (sid != NULL) {
|
|
|
ecf709 |
+ sss_idmap_free_sid(idmap_ctx->map, sid);
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ return shortcut;
|
|
|
ecf709 |
+}
|
|
|
ecf709 |
+
|
|
|
ecf709 |
struct ad_handle_acct_info_state {
|
|
|
ecf709 |
struct dp_id_data *ar;
|
|
|
ecf709 |
struct sdap_id_ctx *ctx;
|
|
|
ecf709 |
@@ -78,6 +149,7 @@ ad_handle_acct_info_send(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
struct ad_handle_acct_info_state *state;
|
|
|
ecf709 |
struct be_ctx *be_ctx = ctx->be;
|
|
|
ecf709 |
errno_t ret;
|
|
|
ecf709 |
+ bool shortcut;
|
|
|
ecf709 |
|
|
|
ecf709 |
req = tevent_req_create(mem_ctx, &state, struct ad_handle_acct_info_state);
|
|
|
ecf709 |
if (req == NULL) {
|
|
|
ecf709 |
@@ -90,6 +162,18 @@ ad_handle_acct_info_send(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
state->ad_options = ad_options;
|
|
|
ecf709 |
state->cindex = 0;
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* Try to shortcut if this is ID or SID search and it belongs to
|
|
|
ecf709 |
+ * other domain range than is in ar->domain. */
|
|
|
ecf709 |
+ shortcut = ad_account_can_shortcut(ctx->opts->idmap_ctx,
|
|
|
ecf709 |
+ sdom->dom,
|
|
|
ecf709 |
+ ar->filter_type,
|
|
|
ecf709 |
+ ar->filter_value);
|
|
|
ecf709 |
+ if (shortcut) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_FUNC, "This ID is from different domain\n");
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+ goto immediate;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
if (sss_domain_get_state(sdom->dom) == DOM_INACTIVE) {
|
|
|
ecf709 |
ret = ERR_SUBDOM_INACTIVE;
|
|
|
ecf709 |
goto immediate;
|
|
|
ecf709 |
@@ -297,72 +381,6 @@ get_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx,
|
|
|
ecf709 |
return clist;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
-static bool ad_account_can_shortcut(struct be_ctx *be_ctx,
|
|
|
ecf709 |
- struct sdap_idmap_ctx *idmap_ctx,
|
|
|
ecf709 |
- int filter_type,
|
|
|
ecf709 |
- const char *filter_value,
|
|
|
ecf709 |
- const char *filter_domain)
|
|
|
ecf709 |
-{
|
|
|
ecf709 |
- struct sss_domain_info *domain = be_ctx->domain;
|
|
|
ecf709 |
- struct sss_domain_info *req_dom = NULL;
|
|
|
ecf709 |
- enum idmap_error_code err;
|
|
|
ecf709 |
- char *sid = NULL;
|
|
|
ecf709 |
- const char *csid = NULL;
|
|
|
ecf709 |
- uint32_t id;
|
|
|
ecf709 |
- bool shortcut = false;
|
|
|
ecf709 |
- errno_t ret;
|
|
|
ecf709 |
-
|
|
|
ecf709 |
- if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name,
|
|
|
ecf709 |
- domain->domain_id)) {
|
|
|
ecf709 |
- goto done;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
-
|
|
|
ecf709 |
- switch (filter_type) {
|
|
|
ecf709 |
- case BE_FILTER_IDNUM:
|
|
|
ecf709 |
- /* convert value to ID */
|
|
|
ecf709 |
- errno = 0;
|
|
|
ecf709 |
- id = strtouint32(filter_value, NULL, 10);
|
|
|
ecf709 |
- if (errno != 0) {
|
|
|
ecf709 |
- ret = errno;
|
|
|
ecf709 |
- DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to "
|
|
|
ecf709 |
- "number [%d]: %s\n", ret, strerror(ret));
|
|
|
ecf709 |
- goto done;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
-
|
|
|
ecf709 |
- /* convert the ID to its SID equivalent */
|
|
|
ecf709 |
- err = sss_idmap_unix_to_sid(idmap_ctx->map, id, &sid;;
|
|
|
ecf709 |
- if (err != IDMAP_SUCCESS) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: "
|
|
|
ecf709 |
- "[%s]\n", filter_value, idmap_error_string(err));
|
|
|
ecf709 |
- goto done;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
- /* fall through */
|
|
|
ecf709 |
- SSS_ATTRIBUTE_FALLTHROUGH;
|
|
|
ecf709 |
- case BE_FILTER_SECID:
|
|
|
ecf709 |
- csid = sid == NULL ? filter_value : sid;
|
|
|
ecf709 |
-
|
|
|
ecf709 |
- req_dom = find_domain_by_sid(domain, csid);
|
|
|
ecf709 |
- if (req_dom == NULL) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_OP_FAILURE, "Invalid domain for SID:%s\n", csid);
|
|
|
ecf709 |
- goto done;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
-
|
|
|
ecf709 |
- if (strcasecmp(req_dom->name, filter_domain) != 0) {
|
|
|
ecf709 |
- shortcut = true;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
- break;
|
|
|
ecf709 |
- default:
|
|
|
ecf709 |
- break;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
-
|
|
|
ecf709 |
-done:
|
|
|
ecf709 |
- if (sid != NULL) {
|
|
|
ecf709 |
- sss_idmap_free_sid(idmap_ctx->map, sid);
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
-
|
|
|
ecf709 |
- return shortcut;
|
|
|
ecf709 |
-}
|
|
|
ecf709 |
-
|
|
|
ecf709 |
struct ad_account_info_handler_state {
|
|
|
ecf709 |
struct sss_domain_info *domain;
|
|
|
ecf709 |
struct dp_reply_std reply;
|
|
|
ecf709 |
@@ -384,7 +402,6 @@ ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
struct tevent_req *subreq;
|
|
|
ecf709 |
struct tevent_req *req;
|
|
|
ecf709 |
struct be_ctx *be_ctx;
|
|
|
ecf709 |
- bool shortcut;
|
|
|
ecf709 |
errno_t ret;
|
|
|
ecf709 |
|
|
|
ecf709 |
sdap_id_ctx = id_ctx->sdap_id_ctx;
|
|
|
ecf709 |
@@ -403,17 +420,6 @@ ad_account_info_handler_send(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
goto immediately;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- /* Try to shortcut if this is ID or SID search and it belongs to
|
|
|
ecf709 |
- * other domain range than is in ar->domain. */
|
|
|
ecf709 |
- shortcut = ad_account_can_shortcut(be_ctx, sdap_id_ctx->opts->idmap_ctx,
|
|
|
ecf709 |
- data->filter_type, data->filter_value,
|
|
|
ecf709 |
- data->domain);
|
|
|
ecf709 |
- if (shortcut) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_TRACE_FUNC, "This ID is from different domain\n");
|
|
|
ecf709 |
- ret = EOK;
|
|
|
ecf709 |
- goto immediately;
|
|
|
ecf709 |
- }
|
|
|
ecf709 |
-
|
|
|
ecf709 |
domain = be_ctx->domain;
|
|
|
ecf709 |
if (strcasecmp(data->domain, be_ctx->domain->name) != 0) {
|
|
|
ecf709 |
/* Subdomain request, verify subdomain. */
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|