|
 |
bb7cd1 |
From b2a823cf415a12416dca9ff019666906d61cfc2f Mon Sep 17 00:00:00 2001
|
|
|
bb7cd1 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
bb7cd1 |
Date: Wed, 22 Mar 2017 13:06:14 +0100
|
|
|
bb7cd1 |
Subject: [PATCH 71/72] LDAP: Relax search filters in application domains
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Related to:
|
|
|
bb7cd1 |
https://pagure.io/SSSD/sssd/issue/3310
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
If a request comes towards an application domain, we can drop the part
|
|
|
bb7cd1 |
of the filter that asserts that the object has a valid UID/GID. Instead,
|
|
|
bb7cd1 |
we just search by name.
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
bb7cd1 |
---
|
|
|
bb7cd1 |
src/providers/ldap/ldap_id.c | 35 ++++++++++++++++++++++++----
|
|
|
bb7cd1 |
src/providers/ldap/sdap_async_enum.c | 7 +++++-
|
|
|
bb7cd1 |
src/providers/ldap/sdap_async_initgroups.c | 37 ++++++++++++++++++++++++------
|
|
|
bb7cd1 |
3 files changed, 66 insertions(+), 13 deletions(-)
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
|
|
bb7cd1 |
index 0bee0ca8d71abece6749fdb8393b9ceacb64417d..7400dc1f57e30cc6ae5f939ffa628a1e9dd47e06 100644
|
|
|
bb7cd1 |
--- a/src/providers/ldap/ldap_id.c
|
|
|
bb7cd1 |
+++ b/src/providers/ldap/ldap_id.c
|
|
|
bb7cd1 |
@@ -56,6 +56,7 @@ struct users_get_state {
|
|
|
bb7cd1 |
char *filter;
|
|
|
bb7cd1 |
const char **attrs;
|
|
|
bb7cd1 |
bool use_id_mapping;
|
|
|
bb7cd1 |
+ bool non_posix;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
int dp_error;
|
|
|
bb7cd1 |
int sdap_ret;
|
|
|
bb7cd1 |
@@ -114,6 +115,10 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
state->filter_value = filter_value;
|
|
|
bb7cd1 |
state->filter_type = filter_type;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ if (state->domain->type == DOM_TYPE_APPLICATION) {
|
|
|
bb7cd1 |
+ state->non_posix = true;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
state->use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
|
|
|
bb7cd1 |
ctx->opts->idmap_ctx,
|
|
|
bb7cd1 |
sdom->dom->name,
|
|
|
bb7cd1 |
@@ -292,7 +297,13 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
- if (state->use_id_mapping || filter_type == BE_FILTER_SECID) {
|
|
|
bb7cd1 |
+ if (state->non_posix) {
|
|
|
bb7cd1 |
+ state->filter = talloc_asprintf(state,
|
|
|
bb7cd1 |
+ "(&%s(objectclass=%s)(%s=*))",
|
|
|
bb7cd1 |
+ user_filter,
|
|
|
bb7cd1 |
+ ctx->opts->user_map[SDAP_OC_USER].name,
|
|
|
bb7cd1 |
+ ctx->opts->user_map[SDAP_AT_USER_NAME].name);
|
|
|
bb7cd1 |
+ } else if (state->use_id_mapping || filter_type == BE_FILTER_SECID) {
|
|
|
bb7cd1 |
/* When mapping IDs or looking for SIDs, we don't want to limit
|
|
|
bb7cd1 |
* ourselves to users with a UID value. But there must be a SID to map
|
|
|
bb7cd1 |
* from.
|
|
|
bb7cd1 |
@@ -304,7 +315,8 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
ctx->opts->user_map[SDAP_AT_USER_NAME].name,
|
|
|
bb7cd1 |
ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
|
|
|
bb7cd1 |
} else {
|
|
|
bb7cd1 |
- /* When not ID-mapping, make sure there is a non-NULL UID */
|
|
|
bb7cd1 |
+ /* When not ID-mapping or looking up POSIX users,
|
|
|
bb7cd1 |
+ * make sure there is a non-NULL UID */
|
|
|
bb7cd1 |
state->filter = talloc_asprintf(state,
|
|
|
bb7cd1 |
"(&%s(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))",
|
|
|
bb7cd1 |
user_filter,
|
|
|
bb7cd1 |
@@ -380,6 +392,7 @@ static void users_get_connect_done(struct tevent_req *subreq)
|
|
|
bb7cd1 |
* have no idea about POSIX attributes support, run a one-time check
|
|
|
bb7cd1 |
*/
|
|
|
bb7cd1 |
if (state->use_id_mapping == false &&
|
|
|
bb7cd1 |
+ state->non_posix == false &&
|
|
|
bb7cd1 |
state->ctx->opts->schema_type == SDAP_SCHEMA_AD &&
|
|
|
bb7cd1 |
state->ctx->srv_opts &&
|
|
|
bb7cd1 |
state->ctx->srv_opts->posix_checked == false) {
|
|
|
bb7cd1 |
@@ -650,6 +663,7 @@ struct groups_get_state {
|
|
|
bb7cd1 |
char *filter;
|
|
|
bb7cd1 |
const char **attrs;
|
|
|
bb7cd1 |
bool use_id_mapping;
|
|
|
bb7cd1 |
+ bool non_posix;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
int dp_error;
|
|
|
bb7cd1 |
int sdap_ret;
|
|
|
bb7cd1 |
@@ -709,6 +723,10 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
state->filter_value = filter_value;
|
|
|
bb7cd1 |
state->filter_type = filter_type;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ if (state->domain->type == DOM_TYPE_APPLICATION) {
|
|
|
bb7cd1 |
+ state->non_posix = true;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
state->use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
|
|
|
bb7cd1 |
ctx->opts->idmap_ctx,
|
|
|
bb7cd1 |
sdom->dom->name,
|
|
|
bb7cd1 |
@@ -827,9 +845,11 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
goto done;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
- if (state->use_id_mapping || filter_type == BE_FILTER_SECID) {
|
|
|
bb7cd1 |
- /* When mapping IDs or looking for SIDs, we don't want to limit
|
|
|
bb7cd1 |
- * ourselves to groups with a GID value
|
|
|
bb7cd1 |
+ if (state->non_posix
|
|
|
bb7cd1 |
+ || state->use_id_mapping
|
|
|
bb7cd1 |
+ || filter_type == BE_FILTER_SECID) {
|
|
|
bb7cd1 |
+ /* When mapping IDs or looking for SIDs, or when in a non-POSIX domain,
|
|
|
bb7cd1 |
+ * we don't want to limit ourselves to groups with a GID value
|
|
|
bb7cd1 |
*/
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
state->filter = talloc_asprintf(state,
|
|
|
bb7cd1 |
@@ -1123,6 +1143,7 @@ struct groups_by_user_state {
|
|
|
bb7cd1 |
int filter_type;
|
|
|
bb7cd1 |
const char *extra_value;
|
|
|
bb7cd1 |
const char **attrs;
|
|
|
bb7cd1 |
+ bool non_posix;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
int dp_error;
|
|
|
bb7cd1 |
int sdap_ret;
|
|
|
bb7cd1 |
@@ -1204,6 +1225,10 @@ static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
state->domain = sdom->dom;
|
|
|
bb7cd1 |
state->sysdb = sdom->dom->sysdb;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ if (state->domain->type == DOM_TYPE_APPLICATION) {
|
|
|
bb7cd1 |
+ state->non_posix = true;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP,
|
|
|
bb7cd1 |
NULL, &state->attrs, NULL);
|
|
|
bb7cd1 |
if (ret != EOK) goto fail;
|
|
|
bb7cd1 |
diff --git a/src/providers/ldap/sdap_async_enum.c b/src/providers/ldap/sdap_async_enum.c
|
|
|
bb7cd1 |
index 3f65059e18d5c8b548da0babec867d27c3a64198..91e481c4e694126900c729e86d187fba355de0b8 100644
|
|
|
bb7cd1 |
--- a/src/providers/ldap/sdap_async_enum.c
|
|
|
bb7cd1 |
+++ b/src/providers/ldap/sdap_async_enum.c
|
|
|
bb7cd1 |
@@ -717,6 +717,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
struct enum_groups_state *state;
|
|
|
bb7cd1 |
int ret;
|
|
|
bb7cd1 |
bool use_mapping;
|
|
|
bb7cd1 |
+ bool non_posix = false;
|
|
|
bb7cd1 |
char *oc_list;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
req = tevent_req_create(memctx, &state, struct enum_groups_state);
|
|
|
bb7cd1 |
@@ -727,6 +728,10 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
state->ctx = ctx;
|
|
|
bb7cd1 |
state->op = op;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ if (sdom->dom->type == DOM_TYPE_APPLICATION) {
|
|
|
bb7cd1 |
+ non_posix = true;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
use_mapping = sdap_idmap_domain_has_algorithmic_mapping(
|
|
|
bb7cd1 |
ctx->opts->idmap_ctx,
|
|
|
bb7cd1 |
sdom->dom->name,
|
|
|
bb7cd1 |
@@ -749,7 +754,7 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
goto fail;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
- if (use_mapping) {
|
|
|
bb7cd1 |
+ if (!non_posix && use_mapping) {
|
|
|
bb7cd1 |
/* If we're ID-mapping, check for the objectSID as well */
|
|
|
bb7cd1 |
state->filter = talloc_asprintf_append_buffer(
|
|
|
bb7cd1 |
state->filter, "(%s=*)",
|
|
|
bb7cd1 |
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
|
|
bb7cd1 |
index 79af7a3eda3fe8533933535c98c2b4b4698dfda2..c926ddcbefe471daa80505e139c3f19efa33b9ba 100644
|
|
|
bb7cd1 |
--- a/src/providers/ldap/sdap_async_initgroups.c
|
|
|
bb7cd1 |
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
|
|
bb7cd1 |
@@ -376,7 +376,7 @@ struct sdap_initgr_rfc2307_state {
|
|
|
bb7cd1 |
struct sdap_handle *sh;
|
|
|
bb7cd1 |
const char **attrs;
|
|
|
bb7cd1 |
const char *name;
|
|
|
bb7cd1 |
- const char *base_filter;
|
|
|
bb7cd1 |
+ char *base_filter;
|
|
|
bb7cd1 |
const char *orig_dn;
|
|
|
bb7cd1 |
char *filter;
|
|
|
bb7cd1 |
int timeout;
|
|
|
bb7cd1 |
@@ -473,18 +473,32 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
state->base_filter = talloc_asprintf(state,
|
|
|
bb7cd1 |
- "(&(%s=%s)(%s)(%s=*)(&(%s=*)(!(%s=0))))",
|
|
|
bb7cd1 |
+ "(&(%s=%s)(%s)(%s=*)",
|
|
|
bb7cd1 |
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
|
|
|
bb7cd1 |
clean_name, oc_list,
|
|
|
bb7cd1 |
- opts->group_map[SDAP_AT_GROUP_NAME].name,
|
|
|
bb7cd1 |
- opts->group_map[SDAP_AT_GROUP_GID].name,
|
|
|
bb7cd1 |
- opts->group_map[SDAP_AT_GROUP_GID].name);
|
|
|
bb7cd1 |
+ opts->group_map[SDAP_AT_GROUP_NAME].name);
|
|
|
bb7cd1 |
if (!state->base_filter) {
|
|
|
bb7cd1 |
talloc_zfree(req);
|
|
|
bb7cd1 |
return NULL;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
talloc_zfree(clean_name);
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ switch (domain->type) {
|
|
|
bb7cd1 |
+ case DOM_TYPE_APPLICATION:
|
|
|
bb7cd1 |
+ state->base_filter = talloc_asprintf_append(state->base_filter, ")");
|
|
|
bb7cd1 |
+ break;
|
|
|
bb7cd1 |
+ case DOM_TYPE_POSIX:
|
|
|
bb7cd1 |
+ state->base_filter = talloc_asprintf_append(state->base_filter,
|
|
|
bb7cd1 |
+ "(&(%s=*)(!(%s=0))))",
|
|
|
bb7cd1 |
+ opts->group_map[SDAP_AT_GROUP_GID].name,
|
|
|
bb7cd1 |
+ opts->group_map[SDAP_AT_GROUP_GID].name);
|
|
|
bb7cd1 |
+ break;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+ if (!state->base_filter) {
|
|
|
bb7cd1 |
+ ret = ENOMEM;
|
|
|
bb7cd1 |
+ goto done;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
ret = sdap_initgr_rfc2307_next_base(req);
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
done:
|
|
|
bb7cd1 |
@@ -2666,6 +2680,7 @@ struct sdap_get_initgr_state {
|
|
|
bb7cd1 |
char *shortname;
|
|
|
bb7cd1 |
char *filter;
|
|
|
bb7cd1 |
int timeout;
|
|
|
bb7cd1 |
+ bool non_posix;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
struct sysdb_attrs *orig_user;
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
@@ -2724,6 +2739,10 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
goto done;
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
+ if (state->dom->type == DOM_TYPE_APPLICATION) {
|
|
|
bb7cd1 |
+ state->non_posix = true;
|
|
|
bb7cd1 |
+ }
|
|
|
bb7cd1 |
+
|
|
|
bb7cd1 |
use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
|
|
|
bb7cd1 |
id_ctx->opts->idmap_ctx,
|
|
|
bb7cd1 |
sdom->dom->name,
|
|
|
bb7cd1 |
@@ -2813,7 +2832,10 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
}
|
|
|
bb7cd1 |
|
|
|
bb7cd1 |
- if (use_id_mapping) {
|
|
|
bb7cd1 |
+ if (state->non_posix) {
|
|
|
bb7cd1 |
+ state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
|
|
|
bb7cd1 |
+ ")");
|
|
|
bb7cd1 |
+ } else if (use_id_mapping) {
|
|
|
bb7cd1 |
/* When mapping IDs or looking for SIDs, we don't want to limit
|
|
|
bb7cd1 |
* ourselves to users with a UID value. But there must be a SID to map
|
|
|
bb7cd1 |
* from.
|
|
|
bb7cd1 |
@@ -2822,7 +2844,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
|
bb7cd1 |
"(%s=*))",
|
|
|
bb7cd1 |
id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
|
|
|
bb7cd1 |
} else {
|
|
|
bb7cd1 |
- /* When not ID-mapping, make sure there is a non-NULL UID */
|
|
|
bb7cd1 |
+ /* When not ID-mapping or looking up app users, make sure there
|
|
|
bb7cd1 |
+ * is a non-NULL UID */
|
|
|
bb7cd1 |
state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
|
|
|
bb7cd1 |
"(&(%s=*)(!(%s=0))))",
|
|
|
bb7cd1 |
id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
|
|
|
bb7cd1 |
--
|
|
|
bb7cd1 |
2.9.3
|
|
|
bb7cd1 |
|