rpms / slapi-nis

Clone
Source Code
GIT

Blame SOURCES/slapi-0007-back-sch-nss-for-users-with-aliases-return-alias-as-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   9eb798277858e46ffe25e77245515c3896d9e0d0
  2.   SOURCES
  3.   slapi-0007-back-sch-nss-for-users-with-aliases-return-alias-as-.patch
Blob History Raw
9eb798 
From e6f9e2c9282905fa41046379e0bc5c2ac82ae3a9 Mon Sep 17 00:00:00 2001
9eb798 
From: Alexander Bokovoy <abokovoy@redhat.com>
9eb798 
Date: Wed, 27 Jul 2016 17:37:14 +0300
9eb798 
Subject: [PATCH 7/8] back-sch-nss: for users with aliases, return alias as uid
9eb798
9eb798 
When SSSD resolves AD users on behalf of slapi-nis, it can accept
9eb798 
any user identifier, including user principal name (UPN) which
9eb798 
may be different than the canonical user name which SSSD returns.
9eb798
9eb798 
As result, the entry created by slapi-nis will be using canonical user
9eb798 
name but the filter for search will refer to the original (aliased)
9eb798 
name. The search will not match the newly created entry.
9eb798
9eb798 
Fix this issue by returning two values for 'uid' attribute: the
9eb798 
canonical one and the aliased one. This way search will match.
9eb798
9eb798 
Verified that SSSD with id_provider=ldap happily consumes such entries.
9eb798 
By LDAP schema, 'uid' attribute can have multiple values.
9eb798
9eb798 
Fixes https://fedorahosted.org/slapi-nis/ticket/12
9eb798 
---
9eb798 
 src/back-sch-nss.c | 14 ++++++++++++++
9eb798 
 1 file changed, 14 insertions(+)
9eb798
9eb798 
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
9eb798 
index 702590c..db63e59 100644
9eb798 
--- a/src/back-sch-nss.c
9eb798 
+++ b/src/back-sch-nss.c
9eb798 
@@ -230,6 +230,7 @@ backend_build_dn(const char *attribute, const char *value,
9eb798 
 static Slapi_Entry *
9eb798 
 backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd,
9eb798 
 					     char *container_sdn,
9eb798 
+					     char *user_name,
9eb798 
 					     struct backend_search_cbdata *cbdata)
9eb798 
 {
9eb798 
 	Slapi_Entry *entry;
9eb798 
@@ -272,6 +273,18 @@ backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd,
9eb798 
 			       "objectClass", "posixAccount");
9eb798 
 	slapi_entry_add_string(entry,
9eb798 
 			       "uid", name);
9eb798 
+	if (user_name != NULL) {
9eb798 
+		/* For non-NULL original user name check if it was
9eb798 
+		 * an alias/UPN. If so, add it to the entry.
9eb798 
+		 * Yes, LDAP schema allows multiple values of 'uid'
9eb798 
+		 * attribute.
9eb798 
+		 */
9eb798 
+		if (slapi_utf8casecmp((unsigned char*) user_name,
9eb798 
+				      (unsigned char*) name) != 0) {
9eb798 
+			slapi_entry_add_string(entry, "uid", user_name);
9eb798 
+		}
9eb798 
+	}
9eb798 
+
9eb798 
 	slapi_entry_attr_set_uint(entry,
9eb798 
 				 "uidNumber", pwd->pw_uid);
9eb798 
 	slapi_entry_attr_set_uint(entry,
9eb798 
@@ -510,6 +523,7 @@ repeat:
9eb798 
 	}
9eb798
9eb798 
 	entry = backend_make_user_entry_from_nsswitch_passwd(&pwd, container_sdn,
9eb798 
+							     is_uid ? NULL : user_name,
9eb798 
 							     cbdata);
9eb798 
 	entries = malloc(sizeof(entries[0]) * 2);
9eb798 
 	if (entries != NULL) {
9eb798 
--
9eb798 
2.7.4
9eb798

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation