|
|
b90f6a |
From 65953c3a20f497c318919c18198da9c57fd7b5be Mon Sep 17 00:00:00 2001
|
|
|
b90f6a |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b90f6a |
Date: Wed, 25 Aug 2021 17:10:29 +0200
|
|
|
b90f6a |
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
|
|
|
b90f6a |
|
|
|
b90f6a |
If a client sends a request to lookup an object from a given trusted
|
|
|
b90f6a |
domain by UID or GID and an object with matching ID is only found in a
|
|
|
b90f6a |
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
|
|
|
b90f6a |
indicate to the client that the requested ID does not exists in the
|
|
|
b90f6a |
given domain.
|
|
|
b90f6a |
|
|
|
b90f6a |
Resolves: https://pagure.io/freeipa/issue/8965
|
|
|
b90f6a |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
b90f6a |
---
|
|
|
b90f6a |
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
|
|
|
b90f6a |
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
b90f6a |
|
|
|
b90f6a |
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
|
b90f6a |
index 1e96c495ab1b893d963bcf0efde91d46adfd91ba..7c61099ccf2f67a5ea404c4c5e9747104a44a601 100644
|
|
|
b90f6a |
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
|
b90f6a |
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
|
|
b90f6a |
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
|
|
|
b90f6a |
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
|
|
b90f6a |
locat[0] = '\0';
|
|
|
b90f6a |
} else {
|
|
|
b90f6a |
- ret = LDAP_INVALID_SYNTAX;
|
|
|
b90f6a |
+ /* The found object is from a different domain than requested,
|
|
|
b90f6a |
+ * that means it does not exist in the requested domain */
|
|
|
b90f6a |
+ ret = LDAP_NO_SUCH_OBJECT;
|
|
|
b90f6a |
goto done;
|
|
|
b90f6a |
}
|
|
|
b90f6a |
}
|
|
|
b90f6a |
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
|
|
|
b90f6a |
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
|
|
b90f6a |
locat[0] = '\0';
|
|
|
b90f6a |
} else {
|
|
|
b90f6a |
- ret = LDAP_INVALID_SYNTAX;
|
|
|
b90f6a |
+ /* The found object is from a different domain than requested,
|
|
|
b90f6a |
+ * that means it does not exist in the requested domain */
|
|
|
b90f6a |
+ ret = LDAP_NO_SUCH_OBJECT;
|
|
|
b90f6a |
goto done;
|
|
|
b90f6a |
}
|
|
|
b90f6a |
}
|
|
|
b90f6a |
--
|
|
|
b90f6a |
2.31.1
|
|
|
b90f6a |
|