From 94ccedbe69e1e5a8497bb8a241d3a701d6cb9433 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 26 2015 09:18:39 +0000 Subject: import slapi-nis-0.54-3.el7_1 --- diff --git a/SOURCES/slapi-nis-nss-Make-sure-default-buffer-for-nsswitch-operations-is-.patch b/SOURCES/slapi-nis-nss-Make-sure-default-buffer-for-nsswitch-operations-is-.patch new file mode 100644 index 0000000..26f8579 --- /dev/null +++ b/SOURCES/slapi-nis-nss-Make-sure-default-buffer-for-nsswitch-operations-is-.patch @@ -0,0 +1,32 @@ +From 92c4f4942547730efdca83501d130906eb07aeb0 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 25 Feb 2015 10:08:39 +0200 +Subject: [PATCH 3/3] Make sure default buffer for nsswitch operations is big + enough + +By default initial buffer sizes for getgrent/getgrnam/... functions +are way small for large groups in Active Directory so make sure +we have something reasonable for groups with hundreds or thousands members. +--- + src/back-sch.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index 2388d2f..a4ae016 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1443,10 +1443,7 @@ backend_search_cb(Slapi_PBlock *pb) + /* If during search of some sets we staged additional lookups, perform them. */ + if (cbdata.staged != NULL) { + /* Allocate buffer to be used for getpwnam_r/getgrnam_r requests */ +- cbdata.nsswitch_buffer_len = MAX(sysconf(_SC_GETPW_R_SIZE_MAX), sysconf(_SC_GETGR_R_SIZE_MAX)); +- if (cbdata.nsswitch_buffer_len == -1) { +- cbdata.nsswitch_buffer_len = 16384; +- } ++ cbdata.nsswitch_buffer_len = MAX(16384, MAX(sysconf(_SC_GETPW_R_SIZE_MAX), sysconf(_SC_GETGR_R_SIZE_MAX))); + cbdata.nsswitch_buffer = malloc(cbdata.nsswitch_buffer_len); + /* Go over the list of staged requests and retrieve entries. + * It is important to perform the retrieval *without* holding any locks to the map cache */ +-- +2.1.0 + diff --git a/SOURCES/slapi-nis-nss-make-sure-to-remember-the-length-of-reallocated.patch b/SOURCES/slapi-nis-nss-make-sure-to-remember-the-length-of-reallocated.patch new file mode 100644 index 0000000..b63ec75 --- /dev/null +++ b/SOURCES/slapi-nis-nss-make-sure-to-remember-the-length-of-reallocated.patch @@ -0,0 +1,49 @@ +From af63a29f8689f8649e70d963462a03485f9f30f5 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 24 Feb 2015 13:18:34 +0200 +Subject: [PATCH 2/2] nss: make sure to remember the length of reallocated + buffer + +--- + src/back-sch-nss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c +index 3a21ff6..f8177d7 100644 +--- a/src/back-sch-nss.c ++++ b/src/back-sch-nss.c +@@ -484,6 +484,7 @@ repeat: + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; ++ cbdata->nsswitch_buffer_len *= 2; + goto repeat; + } + } +@@ -613,6 +614,7 @@ repeat: + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; ++ cbdata->nsswitch_buffer_len *= 2; + goto repeat; + } + } +@@ -668,6 +670,7 @@ repeat: + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; ++ cbdata->nsswitch_buffer_len *= 2; + goto repeat; + } + } +@@ -718,6 +721,7 @@ repeat: + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; ++ cbdata->nsswitch_buffer_len *= 2; + goto repeat; + } + } +-- +2.1.0 + diff --git a/SOURCES/slapi-nis-use-libnss_sss.so.2-explicitly.patch b/SOURCES/slapi-nis-use-libnss_sss.so.2-explicitly.patch new file mode 100644 index 0000000..fe53f22 --- /dev/null +++ b/SOURCES/slapi-nis-use-libnss_sss.so.2-explicitly.patch @@ -0,0 +1,473 @@ +From 89b7a6f79cbcdbaea3b073983864a2a59ab6daaa Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 12 Nov 2014 13:23:17 +0200 +Subject: [PATCH] schema-compat: use libnss_sss.so.2 explicitly to resolve + trusted domain users via NSS + +When Schema Compatibility plugin is configured to enumerate users and groups +from Active Directory domains trusted by FreeIPA, use nss_sss module directly +instead of following nsswitch.conf configuration. + +The issue with nsswitch.conf configuration is in the fact that for each request +all modules in NSS chain are processed while only one of them is responsible +for users from trusted Active Directory domains, namely, nss_sss. +--- + configure.ac | 1 + + doc/ipa/sch-ipa.txt | 14 ++- + src/back-sch-nss.c | 246 ++++++++++++++++++++++++++++++++++++++++++++-------- + src/back-sch.h | 5 ++ + src/plug-sch.c | 3 + + src/plugin.h | 1 + + 6 files changed, 231 insertions(+), 39 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9174980..92647ea 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -343,6 +343,7 @@ fi + AM_CONDITIONAL([USE_PAM], [test "x$use_pam" != xno]) + + if test "x$use_nsswitch" != xno ; then ++ AC_CHECK_HEADERS([stdint.h nss.h dlfcn.h]) + if pkg-config sss_nss_idmap 2> /dev/null ; then + if test x$use_sss_nss_idmap != xno ; then + AC_DEFINE(HAVE_SSS_NSS_IDMAP,1,[Define if you have libsss_nss_idmap.]) +diff --git a/doc/ipa/sch-ipa.txt b/doc/ipa/sch-ipa.txt +index f560580..106e6cc 100644 +--- a/doc/ipa/sch-ipa.txt ++++ b/doc/ipa/sch-ipa.txt +@@ -47,6 +47,11 @@ Plugin allows to expose users and groups from trusted domains. These users + and groups are available on the compatibility trees and can be used for + querying their attributes and authenticating against them. + ++Schema Compatibility Plugin relies on SSSD to discover users from trusted ++domains. NSS module provided by SSSD (libnss_sss.so.2) is loaded explicitly by ++Schema Compatibility Plugin and all calls are directed to SSSD instead of using ++generic NSSWITCH API. ++ + Additionally, authentication against IPA users is also supported, provided + that the Schema Compatibility Plugin is given an ordering preference in + the Directory Server configuration. By default, all Directory server plugins +@@ -70,10 +75,11 @@ schema-compat-nsswitch-min-id: + specifies that the minimal numeric id of the user or group should be not less + than the value. Defaults to 1000. + +-When FreeIPA 3.3 is in use, ipa-adtrust-install utility will automatically configure +-the Schema Compatibility Plugin to allow serving users and groups from trusted domains. +-No additional configuration is needed. ipa-adtrust-install, however, will not set the +-minimal numeric id for user or group. ++When FreeIPA 3.3 or later is in use, ipa-adtrust-install utility will ++automatically configure the Schema Compatibility Plugin to allow serving users ++and groups from trusted domains. No additional configuration is needed. ++ipa-adtrust-install, however, will not set the minimal numeric id for user or ++group. + + == Authentication of the trusted domains' users == + +diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c +index 12ae589..3a21ff6 100644 +--- a/src/back-sch-nss.c ++++ b/src/back-sch-nss.c +@@ -28,9 +28,10 @@ + #include + #include + #include ++#include ++#include + #include + #include +-#include + + #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H + #include +@@ -307,6 +308,144 @@ backend_make_user_entry_from_nsswitch_passwd(struct passwd *pwd, + return entry; + } + ++/* Possible results of lookup using a nss_* function. ++ * Note: don't include nss.h as its path gets overriden by NSS library */ ++enum nss_status ++{ ++ NSS_STATUS_TRYAGAIN = -2, ++ NSS_STATUS_UNAVAIL, ++ NSS_STATUS_NOTFOUND, ++ NSS_STATUS_SUCCESS, ++ NSS_STATUS_RETURN ++}; ++ ++struct nss_ops_ctx { ++ void *dl_handle; ++ ++ enum nss_status (*getpwnam_r)(const char *name, struct passwd *result, ++ char *buffer, size_t buflen, int *errnop); ++ enum nss_status (*getpwuid_r)(uid_t uid, struct passwd *result, ++ char *buffer, size_t buflen, int *errnop); ++ enum nss_status (*setpwent)(void); ++ enum nss_status (*getpwent_r)(struct passwd *result, ++ char *buffer, size_t buflen, int *errnop); ++ enum nss_status (*endpwent)(void); ++ ++ enum nss_status (*getgrnam_r)(const char *name, struct group *result, ++ char *buffer, size_t buflen, int *errnop); ++ enum nss_status (*getgrgid_r)(gid_t gid, struct group *result, ++ char *buffer, size_t buflen, int *errnop); ++ enum nss_status (*setgrent)(void); ++ enum nss_status (*getgrent_r)(struct group *result, ++ char *buffer, size_t buflen, int *errnop); ++ enum nss_status (*endgrent)(void); ++ ++ enum nss_status (*initgroups_dyn)(const char *user, gid_t group, ++ long int *start, long int *size, ++ gid_t **groups, long int limit, ++ int *errnop); ++}; ++ ++void backend_nss_init_context(struct nss_ops_ctx **nss_context) ++{ ++ struct nss_ops_ctx *ctx = NULL; ++ ++ if (nss_context == NULL) { ++ return; ++ } ++ ++ ctx = calloc(1, sizeof(struct nss_ops_ctx)); ++ ++ *nss_context = ctx; ++ if (ctx == NULL) { ++ return; ++ } ++ ++ ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); ++ if (ctx->dl_handle == NULL) { ++ goto fail; ++ } ++ ++ ctx->getpwnam_r = dlsym(ctx->dl_handle, "_nss_sss_getpwnam_r"); ++ if (ctx->getpwnam_r == NULL) { ++ goto fail; ++ } ++ ++ ctx->getpwuid_r = dlsym(ctx->dl_handle, "_nss_sss_getpwuid_r"); ++ if (ctx->getpwuid_r == NULL) { ++ goto fail; ++ } ++ ++ ctx->setpwent = dlsym(ctx->dl_handle, "_nss_sss_setpwent"); ++ if (ctx->setpwent == NULL) { ++ goto fail; ++ } ++ ++ ctx->getpwent_r = dlsym(ctx->dl_handle, "_nss_sss_getpwent_r"); ++ if (ctx->getpwent_r == NULL) { ++ goto fail; ++ } ++ ++ ctx->endpwent = dlsym(ctx->dl_handle, "_nss_sss_endpwent"); ++ if (ctx->endpwent == NULL) { ++ goto fail; ++ } ++ ++ ctx->getgrnam_r = dlsym(ctx->dl_handle, "_nss_sss_getgrnam_r"); ++ if (ctx->getgrnam_r == NULL) { ++ goto fail; ++ } ++ ++ ctx->getgrgid_r = dlsym(ctx->dl_handle, "_nss_sss_getgrgid_r"); ++ if (ctx->getgrgid_r == NULL) { ++ goto fail; ++ } ++ ++ ctx->setgrent = dlsym(ctx->dl_handle, "_nss_sss_setgrent"); ++ if (ctx->setgrent == NULL) { ++ goto fail; ++ } ++ ++ ctx->getgrent_r = dlsym(ctx->dl_handle, "_nss_sss_getgrent_r"); ++ if (ctx->getgrent_r == NULL) { ++ goto fail; ++ } ++ ++ ctx->endgrent = dlsym(ctx->dl_handle, "_nss_sss_endgrent"); ++ if (ctx->endgrent == NULL) { ++ goto fail; ++ } ++ ++ ctx->initgroups_dyn = dlsym(ctx->dl_handle, "_nss_sss_initgroups_dyn"); ++ if (ctx->initgroups_dyn == NULL) { ++ goto fail; ++ } ++ ++ return; ++ ++fail: ++ backend_nss_free_context(nss_context); ++ ++ return; ++} ++ ++void ++backend_nss_free_context(struct nss_ops_ctx **nss_context) ++{ ++ if (nss_context == NULL) { ++ return; ++ } ++ ++ if ((*nss_context)->dl_handle != NULL) { ++ dlclose((*nss_context)->dl_handle); ++ } ++ ++ free((*nss_context)); ++ *nss_context = NULL; ++} ++ ++ ++ + static Slapi_Entry ** + backend_retrieve_user_entry_from_nsswitch(char *user_name, bool_t is_uid, + char *container_sdn, +@@ -315,25 +454,33 @@ backend_retrieve_user_entry_from_nsswitch(char *user_name, bool_t is_uid, + { + struct passwd pwd, *result; + Slapi_Entry *entry, **entries; +- int rc; ++ enum nss_status rc; + char *buf = NULL; ++ struct nss_ops_ctx *ctx = NULL; ++ int lerrno; ++ ++ ctx = cbdata->state->nss_context; + ++ if (ctx == NULL) { ++ return NULL; ++ } + repeat: + if (cbdata->nsswitch_buffer == NULL) { + return NULL; + } + + if (is_uid) { +- rc = getpwuid_r((uid_t) atoll(user_name), &pwd, +- cbdata->nsswitch_buffer, +- cbdata->nsswitch_buffer_len, &result); ++ rc = ctx->getpwuid_r((uid_t) atoll(user_name), &pwd, ++ cbdata->nsswitch_buffer, ++ cbdata->nsswitch_buffer_len, &lerrno); + } else { +- rc = getpwnam_r(user_name, &pwd, +- cbdata->nsswitch_buffer, +- cbdata->nsswitch_buffer_len, &result); ++ rc = ctx->getpwnam_r(user_name, &pwd, ++ cbdata->nsswitch_buffer, ++ cbdata->nsswitch_buffer_len, &lerrno); + } +- if ((result == NULL) || (rc != 0)) { +- if (rc == ERANGE) { ++ ++ if ((rc != NSS_STATUS_SUCCESS)) { ++ if (lerrno == ERANGE) { + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; +@@ -437,25 +584,32 @@ backend_retrieve_group_entry_from_nsswitch(char *group_name, bool_t is_gid, + { + struct group grp, *result; + Slapi_Entry *entry, **entries; +- int rc; ++ enum nss_status rc; + char *buf = NULL; ++ struct nss_ops_ctx *ctx = NULL; ++ int lerrno = 0; ++ ++ ctx = cbdata->state->nss_context; + ++ if (ctx == NULL) { ++ return NULL; ++ } + repeat: + if (cbdata->nsswitch_buffer == NULL) { + return NULL; + } + + if (is_gid) { +- rc = getgrgid_r((gid_t) atoll(group_name), &grp, +- cbdata->nsswitch_buffer, +- cbdata->nsswitch_buffer_len, &result); ++ rc = ctx->getgrgid_r((gid_t) atoll(group_name), &grp, ++ cbdata->nsswitch_buffer, ++ cbdata->nsswitch_buffer_len, &lerrno); + } else { +- rc = getgrnam_r(group_name, &grp, +- cbdata->nsswitch_buffer, +- cbdata->nsswitch_buffer_len, &result); ++ rc = ctx->getgrnam_r(group_name, &grp, ++ cbdata->nsswitch_buffer, ++ cbdata->nsswitch_buffer_len, &lerrno); + } +- if ((result == NULL) || (rc != 0)) { +- if (rc == ERANGE) { ++ if ((rc != NSS_STATUS_SUCCESS)) { ++ if (lerrno == ERANGE) { + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; +@@ -490,20 +644,27 @@ backend_retrieve_group_entry_from_nsswitch_by_gid(gid_t gid, + { + struct group grp, *result; + Slapi_Entry *entry; +- int rc; ++ enum nss_status rc; + char *buf = NULL; ++ struct nss_ops_ctx *ctx = NULL; ++ int lerrno = 0; + ++ ctx = cbdata->state->nss_context; ++ ++ if (ctx == NULL) { ++ return NULL; ++ } + repeat: + if (cbdata->nsswitch_buffer == NULL) { + return NULL; + } + +- rc = getgrgid_r(gid, &grp, +- cbdata->nsswitch_buffer, +- cbdata->nsswitch_buffer_len, &result); ++ rc = ctx->getgrgid_r(gid, &grp, ++ cbdata->nsswitch_buffer, ++ cbdata->nsswitch_buffer_len, &lerrno); + +- if ((result == NULL) || (rc != 0)) { +- if (rc == ERANGE) { ++ if ((rc != NSS_STATUS_SUCCESS)) { ++ if (lerrno == ERANGE) { + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; +@@ -532,19 +693,28 @@ backend_retrieve_group_list_from_nsswitch(char *user_name, char *container_sdn, + gid_t *grouplist, *tmp_list; + Slapi_Entry **entries, *entry, **tmp; + char *buf = NULL; +- int rc, ngroups, i, idx; +- ++ int i, idx; ++ struct nss_ops_ctx *ctx = NULL; ++ int lerrno = 0; ++ long int ngroups = 0; ++ long int start = 0; ++ enum nss_status rc; ++ ++ ctx = cbdata->state->nss_context; ++ if (ctx == NULL) { ++ return NULL; ++ } + repeat: + if (cbdata->nsswitch_buffer == NULL) { + return NULL; + } + +- rc = getpwnam_r(user_name, &pwd, +- cbdata->nsswitch_buffer, +- cbdata->nsswitch_buffer_len, &pwd_result); ++ rc = ctx->getpwnam_r(user_name, &pwd, ++ cbdata->nsswitch_buffer, ++ cbdata->nsswitch_buffer_len, &lerrno); + +- if ((pwd_result == NULL) || (rc != 0)) { +- if (rc == ERANGE) { ++ if ((rc != NSS_STATUS_SUCCESS)) { ++ if (lerrno == ERANGE) { + buf = realloc(cbdata->nsswitch_buffer, cbdata->nsswitch_buffer_len * 2); + if (buf != NULL) { + cbdata->nsswitch_buffer = buf; +@@ -559,14 +729,20 @@ repeat: + } + + ngroups = 32; ++ start = 0; + grouplist = malloc(sizeof(gid_t) * ngroups); + if (grouplist == NULL) { + return NULL; + } + ++ grouplist[0] = pwd.pw_gid; ++ start++; ++ + do { +- rc = getgrouplist(user_name, pwd.pw_gid, grouplist, &ngroups); +- if (rc < ngroups) { ++ rc = ctx->initgroups_dyn(user_name, pwd.pw_gid, ++ &start, &ngroups, &grouplist, ++ -1, &lerrno); ++ if ((rc != NSS_STATUS_SUCCESS)) { + tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); + if (tmp_list == NULL) { + free(grouplist); +@@ -574,7 +750,7 @@ repeat: + } + grouplist = tmp_list; + } +- } while (rc != ngroups); ++ } while (rc != NSS_STATUS_SUCCESS); + + entries = calloc(ngroups + 1, sizeof(entries[0])); + if (entries == NULL) { +diff --git a/src/back-sch.h b/src/back-sch.h +index 26e12d1..1aedf36 100644 +--- a/src/back-sch.h ++++ b/src/back-sch.h +@@ -115,6 +115,11 @@ struct backend_search_filter_config { + + int backend_analyze_search_filter(Slapi_Filter *filter, struct backend_search_filter_config *config); + ++/* Operations against nsswitch API */ ++struct nss_ops_ctx; ++void backend_nss_init_context(struct nss_ops_ctx **nss_context); ++void backend_nss_free_context(struct nss_ops_ctx **nss_context); ++ + void backend_search_nsswitch(struct backend_set_data *set_data, + struct backend_search_cbdata *cbdata); + +diff --git a/src/plug-sch.c b/src/plug-sch.c +index 5d74beb..5a6e736 100644 +--- a/src/plug-sch.c ++++ b/src/plug-sch.c +@@ -52,6 +52,7 @@ + + #include "backend.h" + #include "back-shr.h" ++#include "back-sch.h" + #include "map.h" + #include "plugin.h" + #include "portmap.h" +@@ -109,6 +110,7 @@ plugin_startup(Slapi_PBlock *pb) + /* Populate the tree of fake entries. */ + backend_startup(pb, state); + state->pam_lock = wrap_new_rwlock(); ++ backend_nss_init_context((struct nss_ops_ctx**) &state->nss_context); + /* Note that the plugin is ready to go. */ + slapi_log_error(SLAPI_LOG_PLUGIN, plugin_description.spd_id, + "plugin startup completed\n"); +@@ -123,6 +125,7 @@ plugin_shutdown(Slapi_PBlock *pb) + map_done(state); + wrap_free_rwlock(state->pam_lock); + state->pam_lock = NULL; ++ backend_nss_free_context((struct nss_ops_ctx**) &state->nss_context); + state->plugin_base = NULL; + slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, + "plugin shutdown completed\n"); +diff --git a/src/plugin.h b/src/plugin.h +index 3967fb0..94ad747 100644 +--- a/src/plugin.h ++++ b/src/plugin.h +@@ -46,6 +46,7 @@ struct plugin_state { + } listener[4]; + /* Schema compat-specific data. */ + struct wrapped_rwlock *pam_lock; ++ void *nss_context; + }; + + #endif +-- +2.1.0 + diff --git a/SOURCES/slapi-nis-use-slapi_entry_find_attr.patch b/SOURCES/slapi-nis-use-slapi_entry_find_attr.patch index f8a175a..2cb9ad3 100644 --- a/SOURCES/slapi-nis-use-slapi_entry_find_attr.patch +++ b/SOURCES/slapi-nis-use-slapi_entry_find_attr.patch @@ -1,18 +1,39 @@ -From ef62d2313145ccb69bc0974fcbab2c5d9b627f37 Mon Sep 17 00:00:00 2001 +From 59198a21f15d310ad693f8b8cbd0df9595234ef5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 14 Oct 2014 17:25:46 +0300 -Subject: [PATCH 3/3] Use slapi_entry_find_attr instead of - slapi_entry_attr_exists +Subject: [PATCH] Use slapi_entry_find_attr instead of slapi_entry_attr_exists To keep slapi-nis code portable to older versions of 389-ds-base, avoid using slapi_entry_attr_exists() as it was only introduced in 389-ds-base 1.3.3.0. --- - src/back-sch.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) + src/back-sch-idview.c | 3 ++- + src/back-sch.c | 7 ++++++- + 2 files changed, 8 insertions(+), 2 deletions(-) +diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c +index f1150cd..93fbab5 100644 +--- a/src/back-sch-idview.c ++++ b/src/back-sch-idview.c +@@ -157,6 +157,7 @@ idview_process_overrides(struct backend_search_cbdata *cbdata, + /* 2. If there is indeed an override, replace attribute values except for the ones that should be ignored */ + if (override_entry != NULL) { + Slapi_Attr *override_attr = NULL; ++ Slapi_Attr *sattr = NULL; + + result = slapi_entry_first_attr(override_entry, &override_attr); + while (result == 0) { +@@ -173,7 +174,7 @@ idview_process_overrides(struct backend_search_cbdata *cbdata, + if (filterout_attrs[i] == NULL) { + /* Replace the attribute's value with the override or + * add an override value if the attribute didn't exist */ +- result = slapi_entry_attr_exists(entry, override_type); ++ result = slapi_entry_attr_find(entry, override_type, &sattr); + if (result == 1) { + result = slapi_entry_attr_delete(entry, override_type); + } diff --git a/src/back-sch.c b/src/back-sch.c -index 27d5101..0177ed3 100644 +index 2388d2f..d0ed323 100644 --- a/src/back-sch.c +++ b/src/back-sch.c @@ -997,9 +997,11 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec index ff006cd..8d96f16 100644 --- a/SPECS/slapi-nis.spec +++ b/SPECS/slapi-nis.spec @@ -11,7 +11,7 @@ Name: slapi-nis Version: 0.54 -Release: 2%{?dist} +Release: 3%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons License: GPLv2 @@ -21,12 +21,15 @@ Source1: https://fedorahosted.org/releases/s/l/slapi-nis/slapi-nis-%{version}.ta Patch0: slapi-nis-use-slapi_entry_find_attr.patch Patch1: slapi-nis-ID-views-ignore-searches-for-views-outside-the-subtrees.patch Patch2: slapi-nis-schema-compat-support-ID-overrides-in-bind-callback.patch +Patch3: slapi-nis-use-libnss_sss.so.2-explicitly.patch +Patch4: slapi-nis-nss-make-sure-to-remember-the-length-of-reallocated.patch +Patch5: slapi-nis-nss-Make-sure-default-buffer-for-nsswitch-operations-is-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: 389-ds-base-devel, %{ldap_impl}-devel BuildRequires: nspr-devel, nss-devel, /usr/bin/rpcgen %if 0%{?fedora} > 18 || 0%{?rhel} > 6 BuildRequires: libsss_nss_idmap-devel -%define sss_nss_opts --with-sss-nss-idmap --with-idviews +%define sss_nss_opts --with-sss-nss-idmap %else %define sss_nss_opts %{nil} %endif @@ -61,7 +64,9 @@ for attributes from multiple entries in the tree. %patch0 -p1 %patch1 -p1 %patch2 -p1 - +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build %configure --disable-static --with-tcp-wrappers --with-ldap=%{ldap_impl} \ --with-nsswitch --with-pam --with-pam-service=system-auth \ @@ -91,6 +96,10 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/nisserver-plugin-defs %changelog +* Wed Mar 18 2015 Alexander Bokovoy - 0.54-3 +- Fix CVE-2015-0283 +- Resolves: #1202995 + * Thu Oct 30 2014 Alexander Bokovoy - 0.54-2 - Complete ID views support to BIND operation - Ignore ID views outside schema-compat subtrees