From 6c69ea75765b93768ccc3cf55a4813f2d4b81dac Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Sun, 7 Aug 2016 21:42:14 +0300

Subject: [PATCH] ipa-kdb: simplify trusted domain parent search

In terms of cross-forest trust parent domain is the root domain of

the forest because we only have trust established with the forest root.

In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,

cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the

forest root domain. This allows us to simplify logic of finding

the parent domain.

For complex hierachical forests with more than two levels of

sub-domains, this will still be true because of the forest trust:

as forest trust is established to the forest root domain, any

communication to any sub-domain must traverse forest root domain's

domain controller.

Note that SSSD also generated incorrectly CA paths information

for forests with non-hierarchical tree-roots. In such cases

IPA KDC got confused and mistakenly assumed direct trust to the

non-hierarchical tree-root instead of going through the forest

root domain. See https://fedorahosted.org/sssd/ticket/3103 for

details.

Resolves: https://fedorahosted.org/freeipa/ticket/5738

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 daemons/ipa-kdb/ipa_kdb_mspac.c | 27 ++++++++++++++-------------

 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c

index 80e7055fd6cd7b962eeffbccc675a73d73700793..76e9e99d0b691d06ccc86e0e851fb7e226d62597 100644

--- a/daemons/ipa-kdb/ipa_kdb_mspac.c

+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c

@@ -2420,6 +2420,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)

     char *base = NULL;

     char *dnstr = NULL;

     char *dnl = NULL;

+    LDAPDN dn = NULL;

     char **sid_blacklist_incoming = NULL;

     char **sid_blacklist_outgoing = NULL;

     int ret, n, i;

@@ -2547,26 +2548,26 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)

             goto done;

         }

-        /* Note that after ldap_str2rdn() call dnl will point to end of one RDN

-         * which would be '\0' for trust root domain and ',' for subdomain */

         dnl--; dnl[0] = '\0';

-        ret = ldap_str2rdn(dnstr, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3);

+        /* Create a DN, which is now everything before the base,

+         * to get list of rdn values -- the last one would be a root domain.

+         * Since with cross-forest trust we have to route everything via root

+         * domain, that is enough for us to assign parentship. */

+        ret = ldap_str2dn(dnstr, &dn, LDAP_DN_FORMAT_LDAPV3);

         if (ret) {

             goto done;

         }

-        ldap_rdnfree(rdn);

-

-        if (dnl[0] != '\0') {

-            dnl++;

-            ret = ldap_str2rdn(dnl, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3);

-            if (ret) {

-                goto done;

-            }

-            t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len);

-            ldap_rdnfree(rdn);

+        rdn = NULL;

+        for (i = 0; dn[i] != NULL; i++) {

+            rdn = dn[i];

         }

+        /* We should have a single AVA in the domain RDN */

+        t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len);

+

+        ldap_dnfree(dn);

+

         free(dnstr);

         dnstr = NULL;

     }

-- 

2.7.4