|
|
01d2b2 |
From e6f9e2c9282905fa41046379e0bc5c2ac82ae3a9 Mon Sep 17 00:00:00 2001
|
|
|
01d2b2 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
01d2b2 |
Date: Wed, 27 Jul 2016 17:37:14 +0300
|
|
|
01d2b2 |
Subject: [PATCH 7/8] back-sch-nss: for users with aliases, return alias as uid
|
|
|
01d2b2 |
|
|
|
01d2b2 |
When SSSD resolves AD users on behalf of slapi-nis, it can accept
|
|
|
01d2b2 |
any user identifier, including user principal name (UPN) which
|
|
|
01d2b2 |
may be different than the canonical user name which SSSD returns.
|
|
|
01d2b2 |
|
|
|
01d2b2 |
As result, the entry created by slapi-nis will be using canonical user
|
|
|
01d2b2 |
name but the filter for search will refer to the original (aliased)
|
|
|
01d2b2 |
name. The search will not match the newly created entry.
|
|
|
01d2b2 |
|
|
|
01d2b2 |
Fix this issue by returning two values for 'uid' attribute: the
|
|
|
01d2b2 |
canonical one and the aliased one. This way search will match.
|
|
|
01d2b2 |
|
|
|
01d2b2 |
Verified that SSSD with id_provider=ldap happily consumes such entries.
|
|
|
01d2b2 |
By LDAP schema, 'uid' attribute can have multiple values.
|
|
|
01d2b2 |
|
|
|
01d2b2 |
Fixes https://fedorahosted.org/slapi-nis/ticket/12
|
|
|
01d2b2 |
---
|
|
|
01d2b2 |
src/back-sch-nss.c | 14 ++++++++++++++
|
|
|
01d2b2 |
1 file changed, 14 insertions(+)
|
|
|
01d2b2 |
|
|
|
01d2b2 |
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
|
|
|
01d2b2 |
index 702590c..db63e59 100644
|
|
|
01d2b2 |
--- a/src/back-sch-nss.c
|
|
|
01d2b2 |
+++ b/src/back-sch-nss.c
|
|
|
01d2b2 |
@@ -230,6 +230,7 @@ backend_build_dn(const char *attribute, const char *value,
|
|
|
01d2b2 |
static Slapi_Entry *
|
|
|
01d2b2 |
backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd,
|
|
|
01d2b2 |
char *container_sdn,
|
|
|
01d2b2 |
+ char *user_name,
|
|
|
01d2b2 |
struct backend_search_cbdata *cbdata)
|
|
|
01d2b2 |
{
|
|
|
01d2b2 |
Slapi_Entry *entry;
|
|
|
01d2b2 |
@@ -272,6 +273,18 @@ backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd,
|
|
|
01d2b2 |
"objectClass", "posixAccount");
|
|
|
01d2b2 |
slapi_entry_add_string(entry,
|
|
|
01d2b2 |
"uid", name);
|
|
|
01d2b2 |
+ if (user_name != NULL) {
|
|
|
01d2b2 |
+ /* For non-NULL original user name check if it was
|
|
|
01d2b2 |
+ * an alias/UPN. If so, add it to the entry.
|
|
|
01d2b2 |
+ * Yes, LDAP schema allows multiple values of 'uid'
|
|
|
01d2b2 |
+ * attribute.
|
|
|
01d2b2 |
+ */
|
|
|
01d2b2 |
+ if (slapi_utf8casecmp((unsigned char*) user_name,
|
|
|
01d2b2 |
+ (unsigned char*) name) != 0) {
|
|
|
01d2b2 |
+ slapi_entry_add_string(entry, "uid", user_name);
|
|
|
01d2b2 |
+ }
|
|
|
01d2b2 |
+ }
|
|
|
01d2b2 |
+
|
|
|
01d2b2 |
slapi_entry_attr_set_uint(entry,
|
|
|
01d2b2 |
"uidNumber", pwd->pw_uid);
|
|
|
01d2b2 |
slapi_entry_attr_set_uint(entry,
|
|
|
01d2b2 |
@@ -510,6 +523,7 @@ repeat:
|
|
|
01d2b2 |
}
|
|
|
01d2b2 |
|
|
|
01d2b2 |
entry = backend_make_user_entry_from_nsswitch_passwd(&pwd, container_sdn,
|
|
|
01d2b2 |
+ is_uid ? NULL : user_name,
|
|
|
01d2b2 |
cbdata);
|
|
|
01d2b2 |
entries = malloc(sizeof(entries[0]) * 2);
|
|
|
01d2b2 |
if (entries != NULL) {
|
|
|
01d2b2 |
--
|
|
|
01d2b2 |
2.7.4
|
|
|
01d2b2 |
|