From 3500a7766f5443c9ec50f9c8de27e2dea8c0c234 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:41:29 +0100
Subject: [PATCH 66/67] IPA: use cache searches in get_groups_dns()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the group name is overridden in the default view we have to search
for the name and cannot construct it because the extdom plugin will
return the overridden name but the DN of the related group object in the
cache will contain the original name.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
(cherry picked from commit f29040342a6d69e170f4543662621f2e27221f91)
---
src/providers/ipa/ipa_s2n_exop.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index c6132f509dcc8e7af84e03e8bfe20701107d1392..49c393e9a1eb19ab683949cf633a6838274bc0fe 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2038,6 +2038,7 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
int c;
struct sss_domain_info *root_domain;
char **dn_list;
+ struct ldb_message *msg;
if (name_list == NULL) {
*_dn_list = NULL;
@@ -2082,15 +2083,25 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
goto done;
}
- /* This might fail if some unexpected cases are used. But current
- * sysdb code which handles group membership constructs DNs this way
- * as well, IPA names are lowercased and AD names by default will be
- * lowercased as well. If there are really use-cases which cause an
- * issue here, sysdb_group_strdn() has to be replaced by a proper
- * search. */
- dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ /* If the group name is overridden in the default view we have to
+ * search for the name and cannot construct it because the extdom
+ * plugin will return the overridden name but the DN of the related
+ * group object in the cache will contain the original name. */
+
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL,
+ &msg);
+ if (ret == EOK) {
+ dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn);
+ } else {
+ /* best effort, try to construct the DN */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "sysdb_search_group_by_name failed with [%d], "
+ "generating DN for [%s] in domain [%s].\n",
+ ret, name_list[c], dom->name);
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ }
if (dn_list[c] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n");
ret = ENOMEM;
goto done;
}
--
2.14.3