Blame SOURCES/0098-ipa-use-LDAP-not-extdom-to-lookup-IPA-users-and-grou.patch

8d3578
From fbd38903a3c4985e560e6c670ead84597982242e Mon Sep 17 00:00:00 2001
8d3578
From: Sumit Bose <sbose@redhat.com>
8d3578
Date: Wed, 19 Jun 2019 11:40:56 +0200
8d3578
Subject: [PATCH] ipa: use LDAP not extdom to lookup IPA users and groups
8d3578
MIME-Version: 1.0
8d3578
Content-Type: text/plain; charset=UTF-8
8d3578
Content-Transfer-Encoding: 8bit
8d3578
8d3578
Currently when an IPA client is resolving trusted users and groups with
8d3578
the help of the extdom plugin it uses the extdom plugin as well to
8d3578
lookup IPA objects. This might cause issues if e.g. there is a user in
8d3578
IPA with the same name as a group in AD or the other way round.
8d3578
8d3578
To solve this and to lower the load on the extdom plugin on the IPA
8d3578
server side this patch will lookup IPA object directly from LDAP on the
8d3578
IPA server.
8d3578
8d3578
Related to https://pagure.io/SSSD/sssd/issue/4073
8d3578
8d3578
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
8d3578
(cherry picked from commit 27b141f38dd04d4b69e609a4cc64676a0716226e)
8d3578
---
8d3578
 src/providers/ipa/ipa_id.c       | 11 +-----
8d3578
 src/providers/ipa/ipa_id.h       |  5 +++
8d3578
 src/providers/ipa/ipa_s2n_exop.c | 67 ++++++++++++++++++++++++++++++++
8d3578
 3 files changed, 74 insertions(+), 9 deletions(-)
8d3578
8d3578
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
8d3578
index f34692aa2..94d5f9d90 100644
8d3578
--- a/src/providers/ipa/ipa_id.c
8d3578
+++ b/src/providers/ipa/ipa_id.c
8d3578
@@ -30,13 +30,6 @@
8d3578
 #include "providers/ldap/sdap_async.h"
8d3578
 #include "providers/ipa/ipa_id.h"
8d3578
 
8d3578
-static struct tevent_req *
8d3578
-ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
8d3578
-                             struct ipa_id_ctx *ipa_ctx,
8d3578
-                             struct dp_id_data *ar);
8d3578
-
8d3578
-static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);
8d3578
-
8d3578
 static bool is_object_overridable(struct dp_id_data *ar)
8d3578
 {
8d3578
     bool ret = false;
8d3578
@@ -516,7 +509,7 @@ static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq);
8d3578
 static void ipa_id_get_account_info_done(struct tevent_req *subreq);
8d3578
 static void ipa_id_get_user_list_done(struct tevent_req *subreq);
8d3578
 
8d3578
-static struct tevent_req *
8d3578
+struct tevent_req *
8d3578
 ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
8d3578
                              struct ipa_id_ctx *ipa_ctx,
8d3578
                              struct dp_id_data *ar)
8d3578
@@ -1120,7 +1113,7 @@ fail:
8d3578
     return;
8d3578
 }
8d3578
 
8d3578
-static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)
8d3578
+int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error)
8d3578
 {
8d3578
     struct ipa_id_get_account_info_state *state = tevent_req_data(req,
8d3578
                                           struct ipa_id_get_account_info_state);
8d3578
diff --git a/src/providers/ipa/ipa_id.h b/src/providers/ipa/ipa_id.h
8d3578
index fe9acfeef..c18e709b8 100644
8d3578
--- a/src/providers/ipa/ipa_id.h
8d3578
+++ b/src/providers/ipa/ipa_id.h
8d3578
@@ -151,4 +151,9 @@ ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev,
8d3578
                            struct ldb_message_element *users);
8d3578
 int ipa_resolve_user_list_recv(struct tevent_req *req, int *dp_error);
8d3578
 
8d3578
+struct tevent_req *
8d3578
+ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev,
8d3578
+                             struct ipa_id_ctx *ipa_ctx,
8d3578
+                             struct dp_id_data *ar);
8d3578
+int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error);
8d3578
 #endif
8d3578
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
8d3578
index a07f73200..598b1568e 100644
8d3578
--- a/src/providers/ipa/ipa_s2n_exop.c
8d3578
+++ b/src/providers/ipa/ipa_s2n_exop.c
8d3578
@@ -1121,6 +1121,7 @@ struct ipa_s2n_get_list_state {
8d3578
 static errno_t ipa_s2n_get_list_step(struct tevent_req *req);
8d3578
 static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq);
8d3578
 static void ipa_s2n_get_list_next(struct tevent_req *subreq);
8d3578
+static void ipa_s2n_get_list_ipa_next(struct tevent_req *subreq);
8d3578
 static errno_t ipa_s2n_get_list_save_step(struct tevent_req *req);
8d3578
 
8d3578
 static struct tevent_req *ipa_s2n_get_list_send(TALLOC_CTX *mem_ctx,
8d3578
@@ -1195,6 +1196,7 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
8d3578
     uint32_t id;
8d3578
     char *endptr;
8d3578
     bool need_v1 = false;
8d3578
+    struct dp_id_data *ar;
8d3578
 
8d3578
     parent_domain = get_domains_head(state->dom);
8d3578
     switch (state->req_input.type) {
8d3578
@@ -1222,6 +1224,35 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
8d3578
 
8d3578
         state->req_input.inp.name = short_name;
8d3578
 
8d3578
+        if (strcmp(state->obj_domain->name,
8d3578
+            state->ipa_ctx->sdap_id_ctx->be->domain->name) == 0) {
8d3578
+            DEBUG(SSSDBG_TRACE_INTERNAL,
8d3578
+                  "Looking up IPA object [%s] from LDAP.\n",
8d3578
+                  state->list[state->list_idx]);
8d3578
+            ret = get_dp_id_data_for_user_name(state,
8d3578
+                                               state->list[state->list_idx],
8d3578
+                                               state->obj_domain->name,
8d3578
+                                               &ar);
8d3578
+            if (ret != EOK) {
8d3578
+                DEBUG(SSSDBG_OP_FAILURE,
8d3578
+                      "Failed to create lookup date for IPA object [%s].\n",
8d3578
+                      state->list[state->list_idx]);
8d3578
+                return ret;
8d3578
+            }
8d3578
+            ar->entry_type = state->entry_type;
8d3578
+
8d3578
+            subreq = ipa_id_get_account_info_send(state, state->ev,
8d3578
+                                                  state->ipa_ctx, ar);
8d3578
+            if (subreq == NULL) {
8d3578
+                DEBUG(SSSDBG_OP_FAILURE,
8d3578
+                      "ipa_id_get_account_info_send failed.\n");
8d3578
+                return ENOMEM;
8d3578
+            }
8d3578
+            tevent_req_set_callback(subreq, ipa_s2n_get_list_ipa_next, req);
8d3578
+
8d3578
+            return EOK;
8d3578
+        }
8d3578
+
8d3578
         break;
8d3578
     case REQ_INP_ID:
8d3578
         errno = 0;
8d3578
@@ -1363,6 +1394,42 @@ fail:
8d3578
     return;
8d3578
 }
8d3578
 
8d3578
+static void ipa_s2n_get_list_ipa_next(struct tevent_req *subreq)
8d3578
+{
8d3578
+    int ret;
8d3578
+    int dp_error;
8d3578
+    struct tevent_req *req = tevent_req_callback_data(subreq,
8d3578
+                                                      struct tevent_req);
8d3578
+    struct ipa_s2n_get_list_state *state = tevent_req_data(req,
8d3578
+                                               struct ipa_s2n_get_list_state);
8d3578
+
8d3578
+    ret = ipa_id_get_account_info_recv(subreq, &dp_error);
8d3578
+    talloc_zfree(subreq);
8d3578
+    if (ret != EOK) {
8d3578
+        DEBUG(SSSDBG_OP_FAILURE, "ipa_id_get_account_info failed: %d %d\n", ret,
8d3578
+                                 dp_error);
8d3578
+        goto done;
8d3578
+    }
8d3578
+
8d3578
+    state->list_idx++;
8d3578
+    if (state->list[state->list_idx] == NULL) {
8d3578
+        tevent_req_done(req);
8d3578
+        return;
8d3578
+    }
8d3578
+
8d3578
+    ret = ipa_s2n_get_list_step(req);
8d3578
+    if (ret != EOK) {
8d3578
+        DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_step failed.\n");
8d3578
+        goto done;
8d3578
+    }
8d3578
+
8d3578
+    return;
8d3578
+
8d3578
+done:
8d3578
+    tevent_req_error(req,ret);
8d3578
+    return;
8d3578
+}
8d3578
+
8d3578
 static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq)
8d3578
 {
8d3578
     int ret;
8d3578
-- 
8d3578
2.20.1
8d3578