dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From ee8f6d929ab3a047e05b4522cb0d61273293e2c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 19 Aug 2015 12:35:12 +0200
Subject: [PATCH 65/66] sss_override: support import and export

Resolves:
https://fedorahosted.org/sssd/ticket/2737

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 Makefile.am                |   2 +
 src/man/sss_override.8.xml |  88 +++++++
 src/tools/sss_override.c   | 588 ++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 675 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 7dc4875c9cb05bf146505c0dc0dab543fb326bd3..e1102333b019e32c516c59c5fa969c970b688737 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -651,6 +651,7 @@ dist_noinst_HEADERS = \
     src/lib/sifp/sss_sifp_private.h \
     src/tests/cmocka/test_utils.h \
     src/tools/common/sss_tools.h \
+    src/tools/common/sss_colondb.h \
     $(NULL)
 
 
@@ -1331,6 +1332,7 @@ sss_signal_LDADD = \
 
 sss_override_SOURCES = \
     src/tools/sss_override.c \
+    src/tools/common/sss_colondb.c \
     $(SSSD_TOOLS_OBJ) \
     $(NULL)
 sss_override_LDADD = \
diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml
index ec9a7bb75c13f4f18ece7f5f84baede14a8a1e2e..d289f5b7dfa7fbd328831b4c71d45b4c555225cf 100644
--- a/src/man/sss_override.8.xml
+++ b/src/man/sss_override.8.xml
@@ -77,6 +77,50 @@
             </varlistentry>
             <varlistentry>
                 <term>
+                    <option>user-import</option>
+                    <emphasis>FILE</emphasis>
+                </term>
+                <listitem>
+                    <para>
+                        Import user overrides from <emphasis>FILE</emphasis>.
+                        Data format is similar to standard passwd file.
+                        The format is:
+                    </para>
+                    <para>
+                        original_name:name:uid:gid:gecos:home:shell
+                    </para>
+                    <para>
+                        where original_name is original name of the user whose
+                        attributes should be overridden. The rest of fields
+                        correspond to new values. You can omit a value simply
+                        by leaving corresponding field empty.
+                    </para>
+                    <para>
+                        Examples:
+                    </para>
+                    <para>
+                        ckent:superman::::::
+                    </para>
+                    <para>
+                        ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash
+                    </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>user-export</option>
+                    <emphasis>FILE</emphasis>
+                </term>
+                <listitem>
+                    <para>
+                        Export all overridden attributes and store them in
+                        <emphasis>FILE</emphasis>. See
+                        <emphasis>user-import</emphasis> for data format.
+                    </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>
                     <option>group-add</option>
                     <emphasis>NAME</emphasis>
                     <optional><option>-n,--name</option> NAME</optional>
@@ -99,6 +143,50 @@
                     </para>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>group-import</option>
+                    <emphasis>FILE</emphasis>
+                </term>
+                <listitem>
+                    <para>
+                        Import group overrides from <emphasis>FILE</emphasis>.
+                        Data format is similar to standard group file.
+                        The format is:
+                    </para>
+                    <para>
+                        original_name:name:gid
+                    </para>
+                    <para>
+                        where original_name is original name of the group whose
+                        attributes should be overridden. The rest of fields
+                        correspond to new values. You can omit a value simply
+                        by leaving corresponding field empty.
+                    </para>
+                    <para>
+                        Examples:
+                    </para>
+                    <para>
+                        admins:administrators:
+                    </para>
+                    <para>
+                        Domain Users:Users:501
+                    </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>group-export</option>
+                    <emphasis>FILE</emphasis>
+                </term>
+                <listitem>
+                    <para>
+                        Export all overridden attributes and store them in
+                        <emphasis>FILE</emphasis>. See
+                        <emphasis>group-import</emphasis> for data format.
+                    </para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
 
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index 9e2ce3325c0bfa33fadb970f725098d7d12ac432..ee8351ea97e5efe0d449dc646c6136b32ceec2c6 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -23,8 +23,10 @@
 #include "util/util.h"
 #include "db/sysdb.h"
 #include "tools/common/sss_tools.h"
+#include "tools/common/sss_colondb.h"
 
 #define LOCALVIEW SYSDB_LOCAL_VIEW_NAME
+#define ORIGNAME "originalName"
 
 struct override_user {
     const char *input_name;
@@ -135,6 +137,40 @@ static int parse_cmdline_group_del(struct sss_cmdline *cmdline,
                          &group->orig_name, &group->domain);
 }
 
+static int parse_cmdline_import(struct sss_cmdline *cmdline,
+                                struct sss_tool_ctx *tool_ctx,
+                                const char **_file)
+{
+    int ret;
+
+    ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL,
+                           NULL, NULL, "FILE", "File to import the data from.",
+                           _file);
+    if (ret != EXIT_SUCCESS) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
+        return ret;
+    }
+
+    return EXIT_SUCCESS;
+}
+
+static int parse_cmdline_export(struct sss_cmdline *cmdline,
+                                struct sss_tool_ctx *tool_ctx,
+                                const char **_file)
+{
+    int ret;
+
+    ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL,
+                           NULL, NULL, "FILE", "File to export the data to.",
+                           _file);
+    if (ret != EXIT_SUCCESS) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
+        return ret;
+    }
+
+    return EXIT_SUCCESS;
+}
+
 static errno_t prepare_view(struct sss_domain_info *domain)
 {
     char *viewname = NULL;
@@ -293,8 +329,8 @@ static char *get_fqname(TALLOC_CTX *mem_ctx,
                         const char *name)
 {
     char *fqname;
-    size_t fqlen;
-    size_t check;
+    int fqlen;
+    int check;
 
     if (domain == NULL) {
         return NULL;
@@ -315,7 +351,7 @@ static char *get_fqname(TALLOC_CTX *mem_ctx,
     }
 
     check = sss_fqname(fqname, fqlen, domain->names, domain, name);
-    if (check != fqlen - 1) {
+    if (check < 0 || check != fqlen - 1) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to generate a fully qualified name "
               "for user [%s] in [%s]! Skipping user.\n", name, domain->name);
         talloc_free(fqname);
@@ -724,6 +760,246 @@ done:
     return ret;
 }
 
+static errno_t append_name(struct sss_domain_info *domain,
+                           struct ldb_message *override)
+{
+    TALLOC_CTX *tmp_ctx;
+    struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb);
+    struct ldb_dn *dn;
+    struct ldb_message **msgs;
+    const char *attrs[] = {SYSDB_NAME, NULL};
+    const char *name;
+    const char *fqname;
+    size_t count;
+    errno_t ret;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+        return ENOMEM;
+    }
+
+    dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, override,
+                                 SYSDB_OVERRIDE_OBJECT_DN);
+    if (dn == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Missing overrideObjectDN?\n");
+        ret = ERR_INTERNAL;
+        goto done;
+    }
+
+    ret = sysdb_search_entry(tmp_ctx, domain->sysdb, dn, LDB_SCOPE_BASE,
+                             NULL, attrs, &count, &msgs);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry() failed [%d]: %s\n",
+              ret, sss_strerror(ret));
+        goto done;
+    } else if (count != 1) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "More than one user found?\n");
+        ret = ERR_INTERNAL;
+        goto done;
+    }
+
+    name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL);
+    if (name == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Object with no name?\n");
+        ret = ERR_INTERNAL;
+        goto done;
+    }
+
+    fqname = get_fqname(tmp_ctx, domain, name);
+    if (fqname == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get fqname\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = ldb_msg_add_string(override, ORIGNAME, fqname);
+    if (ret != LDB_SUCCESS) {
+        ret = sysdb_error_to_errno(ret);
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute to msg\n");
+        goto done;
+    }
+
+    talloc_steal(override, fqname);
+
+done:
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
+static errno_t list_overrides(TALLOC_CTX *mem_ctx,
+                              const char *filter,
+                              const char **attrs,
+                              struct sss_domain_info *domain,
+                              size_t *_count,
+                              struct ldb_message ***_msgs)
+{
+    TALLOC_CTX *tmp_ctx;
+    struct ldb_dn *dn;
+    struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb);
+    size_t count;
+    struct ldb_message **msgs;
+    size_t i;
+    int ret;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+        return ENOMEM;
+    }
+
+    /* Acquire list of override objects. */
+    dn = ldb_dn_new_fmt(tmp_ctx, ldb, SYSDB_TMPL_VIEW_SEARCH_BASE, LOCALVIEW);
+    if (dn == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new_fmt() failed.\n");
+        ret = EIO;
+        goto done;
+    }
+
+    ret = sysdb_search_entry(tmp_ctx, domain->sysdb, dn, LDB_SCOPE_SUBTREE,
+                             filter, attrs, &count, &msgs);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry() failed [%d]: %s\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    /* Amend messages with original name. */
+    for (i = 0; i < count; i++) {
+        ret = append_name(domain, msgs[i]);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to append name [%d]: %s\n",
+                  ret, sss_strerror(ret));
+            goto done;
+        }
+    }
+
+    *_msgs = talloc_steal(mem_ctx, msgs);
+    *_count = count;
+
+    ret = EOK;
+
+done:
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
+static struct override_user *
+list_user_overrides(TALLOC_CTX *mem_ctx,
+                    struct sss_domain_info *domain)
+{
+    TALLOC_CTX *tmp_ctx;
+    struct override_user *objs;
+    struct ldb_message **msgs;
+    size_t count;
+    size_t i;
+    errno_t ret;
+    const char *attrs[] = SYSDB_PW_ATTRS;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+        return NULL;
+    }
+
+    ret = list_overrides(tmp_ctx, "(objectClass=" SYSDB_OVERRIDE_USER_CLASS ")",
+                         attrs, domain, &count, &msgs);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    objs = talloc_zero_array(tmp_ctx, struct override_user, count + 1);
+    if (objs == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    for (i = 0; i < count; i++) {
+        objs[i].orig_name = ldb_msg_find_attr_as_string(msgs[i], ORIGNAME,
+                                                        NULL);
+        if (objs[i].orig_name == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Missing name?!\n");
+            ret = ERR_INTERNAL;
+            goto done;
+        }
+
+        objs[i].name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
+        objs[i].uid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_UIDNUM, 0);
+        objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
+        objs[i].home = ldb_msg_find_attr_as_string(msgs[i], SYSDB_HOMEDIR, NULL);
+        objs[i].shell = ldb_msg_find_attr_as_string(msgs[i], SYSDB_SHELL, NULL);
+        objs[i].gecos = ldb_msg_find_attr_as_string(msgs[i], SYSDB_GECOS, NULL);
+    }
+
+    talloc_steal(mem_ctx, objs);
+
+done:
+    talloc_free(tmp_ctx);
+
+    if (ret != EOK) {
+        return NULL;
+    }
+
+    return objs;
+}
+
+static struct override_group *
+list_group_overrides(TALLOC_CTX *mem_ctx,
+                     struct sss_domain_info *domain)
+{
+    TALLOC_CTX *tmp_ctx;
+    struct override_group *objs;
+    struct ldb_message **msgs;
+    size_t count;
+    size_t i;
+    errno_t ret;
+    const char *attrs[] = SYSDB_GRSRC_ATTRS;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+        return NULL;
+    }
+
+    ret = list_overrides(tmp_ctx, "(objectClass=" SYSDB_OVERRIDE_GROUP_CLASS ")",
+                         attrs, domain, &count, &msgs);
+    if (ret != EOK) {
+        goto done;
+    }
+
+    objs = talloc_zero_array(tmp_ctx, struct override_group, count + 1);
+    if (objs == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    for (i = 0; i < count; i++) {
+        objs[i].orig_name = ldb_msg_find_attr_as_string(msgs[i], ORIGNAME,
+                                                        NULL);
+        if (objs[i].orig_name == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Missing name?!\n");
+            ret = ERR_INTERNAL;
+            goto done;
+        }
+
+        objs[i].name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL);
+        objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0);
+    }
+
+    talloc_steal(mem_ctx, objs);
+
+done:
+    talloc_free(tmp_ctx);
+
+    if (ret != EOK) {
+        return NULL;
+    }
+
+    return objs;
+}
+
 static int override_user_add(struct sss_cmdline *cmdline,
                              struct sss_tool_ctx *tool_ctx,
                              void *pvt)
@@ -777,6 +1053,161 @@ static int override_user_del(struct sss_cmdline *cmdline,
     return EXIT_SUCCESS;
 }
 
+static int override_user_import(struct sss_cmdline *cmdline,
+                                struct sss_tool_ctx *tool_ctx,
+                                void *pvt)
+{
+    TALLOC_CTX *tmp_ctx;
+    struct sss_colondb *db;
+    const char *filename;
+    struct override_user obj;
+    int linenum = 1;
+    errno_t ret;
+    int exit;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+        return EXIT_FAILURE;
+    }
+
+    /**
+     * Format: orig_name:name:uid:gid:gecos:home:shell
+     */
+    struct sss_colondb_read_field table[] = {
+        {SSS_COLONDB_STRING, {.str = &obj.input_name}},
+        {SSS_COLONDB_STRING, {.str = &obj.name}},
+        {SSS_COLONDB_UINT32, {.uint32 = &obj.uid}},
+        {SSS_COLONDB_UINT32, {.uint32 = &obj.gid}},
+        {SSS_COLONDB_STRING, {.str = &obj.gecos}},
+        {SSS_COLONDB_STRING, {.str = &obj.home}},
+        {SSS_COLONDB_STRING, {.str = &obj.shell}},
+        {SSS_COLONDB_SENTINEL, {0}}
+    };
+
+    ret = parse_cmdline_import(cmdline, tool_ctx, &filename);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    db = sss_colondb_open(tool_ctx, SSS_COLONDB_READ, filename);
+    if (db == NULL) {
+        fprintf(stderr, _("Unable to open %s.\n"), filename);
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    while ((ret = sss_colondb_readline(tmp_ctx, db, table)) == EOK) {
+        linenum++;
+
+        ret = sss_tool_parse_name(tool_ctx, tool_ctx, obj.input_name,
+                                  &obj.orig_name, &obj.domain);
+        if (ret != EOK) {
+            fprintf(stderr, _("Unable to parse name %s.\n"), obj.input_name);
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        ret = get_user_domain_msg(tool_ctx, &obj);
+        if (ret != EOK) {
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        ret = override_user(tool_ctx, &obj);
+        if (ret != EOK) {
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        talloc_free_children(tmp_ctx);
+    }
+
+    if (ret != EOF) {
+        fprintf(stderr, _("Invalid format on line %d. "
+                "Use --debug option for more information.\n"), linenum);
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    exit = EXIT_SUCCESS;
+
+done:
+    talloc_free(tmp_ctx);
+    return exit;
+}
+
+static int override_user_export(struct sss_cmdline *cmdline,
+                                struct sss_tool_ctx *tool_ctx,
+                                void *pvt)
+{
+    struct sss_colondb *db;
+    const char *filename;
+    struct override_user *objs;
+    struct sss_domain_info *dom;
+    errno_t ret;
+    int exit;
+    int i;
+
+    ret = parse_cmdline_export(cmdline, tool_ctx, &filename);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    db = sss_colondb_open(tool_ctx, SSS_COLONDB_WRITE, filename);
+    if (db == NULL) {
+        fprintf(stderr, _("Unable to open %s.\n"), filename);
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    dom = tool_ctx->domains;
+    do {
+        objs = list_user_overrides(tool_ctx, tool_ctx->domains);
+        if (objs == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        for (i = 0; objs[i].orig_name != NULL; i++) {
+            /**
+             * Format: orig_name:name:uid:gid:gecos:home:shell
+             */
+            struct sss_colondb_write_field table[] = {
+                {SSS_COLONDB_STRING, {.str = objs[i].orig_name}},
+                {SSS_COLONDB_STRING, {.str = objs[i].name}},
+                {SSS_COLONDB_UINT32, {.uint32 = objs[i].uid}},
+                {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}},
+                {SSS_COLONDB_STRING, {.str = objs[i].gecos}},
+                {SSS_COLONDB_STRING, {.str = objs[i].home}},
+                {SSS_COLONDB_STRING, {.str = objs[i].shell}},
+                {SSS_COLONDB_SENTINEL, {0}}
+            };
+
+            ret = sss_colondb_writeline(db, table);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n");
+                exit = EXIT_FAILURE;
+                goto done;
+            }
+        }
+
+        /* All overrides are under the same subtree, so we don't want to
+         * descent into subdomains. */
+        dom = get_next_domain(dom, false);
+    } while (dom != NULL);
+
+    exit = EXIT_SUCCESS;
+
+done:
+    return exit;
+}
+
 static int override_group_add(struct sss_cmdline *cmdline,
                               struct sss_tool_ctx *tool_ctx,
                               void *pvt)
@@ -831,13 +1262,164 @@ static int override_group_del(struct sss_cmdline *cmdline,
     return EXIT_SUCCESS;
 }
 
+static int override_group_import(struct sss_cmdline *cmdline,
+                                 struct sss_tool_ctx *tool_ctx,
+                                 void *pvt)
+{
+    TALLOC_CTX *tmp_ctx;
+    struct sss_colondb *db;
+    const char *filename;
+    struct override_group obj;
+    int linenum = 1;
+    errno_t ret;
+    int exit;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+        return EXIT_FAILURE;
+    }
+
+    /**
+     * Format: orig_name:name:gid
+     */
+    struct sss_colondb_read_field table[] = {
+        {SSS_COLONDB_STRING, {.str = &obj.input_name}},
+        {SSS_COLONDB_STRING, {.str = &obj.name}},
+        {SSS_COLONDB_UINT32, {.uint32 = &obj.gid}},
+        {SSS_COLONDB_SENTINEL, {0}}
+    };
+
+    ret = parse_cmdline_import(cmdline, tool_ctx, &filename);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    db = sss_colondb_open(tool_ctx, SSS_COLONDB_READ, filename);
+    if (db == NULL) {
+        fprintf(stderr, _("Unable to open %s.\n"), filename);
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    while ((ret = sss_colondb_readline(tmp_ctx, db, table)) == EOK) {
+        linenum++;
+
+        ret = sss_tool_parse_name(tool_ctx, tool_ctx, obj.input_name,
+                                  &obj.orig_name, &obj.domain);
+        if (ret != EOK) {
+            fprintf(stderr, _("Unable to parse name %s.\n"), obj.input_name);
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        ret = get_group_domain_msg(tool_ctx, &obj);
+        if (ret != EOK) {
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        ret = override_group(tool_ctx, &obj);
+        if (ret != EOK) {
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        talloc_free_children(tmp_ctx);
+    }
+
+    if (ret != EOF) {
+        fprintf(stderr, _("Invalid format on line %d. "
+                "Use --debug option for more information.\n"), linenum);
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    exit = EXIT_SUCCESS;
+
+done:
+    talloc_free(tmp_ctx);
+    return exit;
+}
+
+static int override_group_export(struct sss_cmdline *cmdline,
+                                 struct sss_tool_ctx *tool_ctx,
+                                 void *pvt)
+{
+    struct sss_colondb *db;
+    const char *filename;
+    struct override_group *objs;
+    struct sss_domain_info *dom;
+    errno_t ret;
+    int exit;
+    int i;
+
+    ret = parse_cmdline_export(cmdline, tool_ctx, &filename);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    db = sss_colondb_open(tool_ctx, SSS_COLONDB_WRITE, filename);
+    if (db == NULL) {
+        fprintf(stderr, _("Unable to open %s.\n"), filename);
+        exit = EXIT_FAILURE;
+        goto done;
+    }
+
+    dom = tool_ctx->domains;
+    do {
+        objs = list_group_overrides(tool_ctx, tool_ctx->domains);
+        if (objs == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
+            exit = EXIT_FAILURE;
+            goto done;
+        }
+
+        for (i = 0; objs[i].orig_name != NULL; i++) {
+            /**
+             * Format: orig_name:name:uid:gid:gecos:home:shell
+             */
+            struct sss_colondb_write_field table[] = {
+                {SSS_COLONDB_STRING, {.str = objs[i].orig_name}},
+                {SSS_COLONDB_STRING, {.str = objs[i].name}},
+                {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}},
+                {SSS_COLONDB_SENTINEL, {0}}
+            };
+
+            ret = sss_colondb_writeline(db, table);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n");
+                exit = EXIT_FAILURE;
+                goto done;
+            }
+        }
+
+        /* All overrides are under the same subtree, so we don't want to
+         * descent into subdomains. */
+        dom = get_next_domain(dom, false);
+    } while (dom != NULL);
+
+    exit = EXIT_SUCCESS;
+
+done:
+    return exit;
+}
+
 int main(int argc, const char **argv)
 {
     struct sss_route_cmd commands[] = {
         {"user-add", override_user_add},
         {"user-del", override_user_del},
+        {"user-import", override_user_import},
+        {"user-export", override_user_export},
         {"group-add", override_group_add},
         {"group-del", override_group_del},
+        {"group-import", override_group_import},
+        {"group-export", override_group_export},
         {NULL, NULL}
     };
 
-- 
2.4.3