|
 |
ecf709 |
From b7d2310e9ddd79bfdea2bc334bd11d4df9be37a2 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
ecf709 |
Date: Wed, 12 Apr 2017 10:43:25 +0200
|
|
|
ecf709 |
Subject: [PATCH 105/110] RESPONDER: Fallback to global domain resolution order
|
|
|
ecf709 |
in case the view doesn't have this option set
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
The current code has been ignoring the domain resolution order set
|
|
|
ecf709 |
globally on IPA in case there's a view but this doesn't have any domain
|
|
|
ecf709 |
resolution order set.
|
|
|
ecf709 |
|
|
|
ecf709 |
It happens because we haven't been checking whether the view attribute
|
|
|
ecf709 |
didn't exist and then we ended up populating the list cache_req domains'
|
|
|
ecf709 |
list assuming that no order has been set instead of falling back to the
|
|
|
ecf709 |
next preferred method.
|
|
|
ecf709 |
|
|
|
ecf709 |
Related:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3001
|
|
|
ecf709 |
|
|
|
ecf709 |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit a3faad0e4dc1ca4473746c3822ecfc5aed876e6d)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/responder/common/cache_req/cache_req_domain.c | 14 ++-
|
|
|
ecf709 |
src/responder/common/cache_req/cache_req_domain.h | 5 +-
|
|
|
ecf709 |
src/responder/common/responder_common.c | 108 +++++++++++++---------
|
|
|
ecf709 |
3 files changed, 74 insertions(+), 53 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c
|
|
|
ecf709 |
index bbabd695f1c6b6c29b7e61f571382ab9adfb0ea2..86a88efd54ca0f4a0748b44ece1b8515438d4628 100644
|
|
|
ecf709 |
--- a/src/responder/common/cache_req/cache_req_domain.c
|
|
|
ecf709 |
+++ b/src/responder/common/cache_req/cache_req_domain.c
|
|
|
ecf709 |
@@ -120,20 +120,21 @@ done:
|
|
|
ecf709 |
return cr_domains;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
-struct cache_req_domain *
|
|
|
ecf709 |
+errno_t
|
|
|
ecf709 |
cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
struct sss_domain_info *domains,
|
|
|
ecf709 |
- const char *domain_resolution_order)
|
|
|
ecf709 |
+ const char *domain_resolution_order,
|
|
|
ecf709 |
+ struct cache_req_domain **_cr_domains)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
TALLOC_CTX *tmp_ctx;
|
|
|
ecf709 |
- struct cache_req_domain *cr_domains = NULL;
|
|
|
ecf709 |
+ struct cache_req_domain *cr_domains;
|
|
|
ecf709 |
char **list = NULL;
|
|
|
ecf709 |
errno_t ret;
|
|
|
ecf709 |
|
|
|
ecf709 |
tmp_ctx = talloc_new(NULL);
|
|
|
ecf709 |
if (tmp_ctx == NULL) {
|
|
|
ecf709 |
- return NULL;
|
|
|
ecf709 |
+ return ENOMEM;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
if (domain_resolution_order != NULL) {
|
|
|
ecf709 |
@@ -160,7 +161,10 @@ cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ *_cr_domains = cr_domains;
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
done:
|
|
|
ecf709 |
talloc_free(tmp_ctx);
|
|
|
ecf709 |
- return cr_domains;
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h
|
|
|
ecf709 |
index 41c50e8c293d7b032cb2f05482c40e93e4f723dc..000087e5ca2074f22169a4af627810f4f287e430 100644
|
|
|
ecf709 |
--- a/src/responder/common/cache_req/cache_req_domain.h
|
|
|
ecf709 |
+++ b/src/responder/common/cache_req/cache_req_domain.h
|
|
|
ecf709 |
@@ -34,11 +34,12 @@ struct cache_req_domain *
|
|
|
ecf709 |
cache_req_domain_get_domain_by_name(struct cache_req_domain *domains,
|
|
|
ecf709 |
const char *name);
|
|
|
ecf709 |
|
|
|
ecf709 |
-struct cache_req_domain *
|
|
|
ecf709 |
+errno_t
|
|
|
ecf709 |
cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
struct sss_domain_info *domains,
|
|
|
ecf709 |
- const char *domain_resolution_order);
|
|
|
ecf709 |
+ const char *domain_resolution_order,
|
|
|
ecf709 |
+ struct cache_req_domain **_cr_domains);
|
|
|
ecf709 |
|
|
|
ecf709 |
void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains);
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
|
|
|
ecf709 |
index ac6320b08de09bc6c7e8dd1af72e0a493a449f7a..62b71b5104fdbb585d086d44d2ca2ab9717dd788 100644
|
|
|
ecf709 |
--- a/src/responder/common/responder_common.c
|
|
|
ecf709 |
+++ b/src/responder/common/responder_common.c
|
|
|
ecf709 |
@@ -1486,10 +1486,11 @@ fail:
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
/* ====== Helper functions for the domain resolution order ======= */
|
|
|
ecf709 |
-static struct cache_req_domain *
|
|
|
ecf709 |
+static errno_t
|
|
|
ecf709 |
sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
struct sss_domain_info *domains,
|
|
|
ecf709 |
- struct sysdb_ctx *sysdb)
|
|
|
ecf709 |
+ struct sysdb_ctx *sysdb,
|
|
|
ecf709 |
+ struct cache_req_domain **_cr_domains)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
TALLOC_CTX *tmp_ctx;
|
|
|
ecf709 |
struct cache_req_domain *cr_domains = NULL;
|
|
|
ecf709 |
@@ -1498,7 +1499,7 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
|
|
|
ecf709 |
tmp_ctx = talloc_new(NULL);
|
|
|
ecf709 |
if (tmp_ctx == NULL) {
|
|
|
ecf709 |
- return NULL;
|
|
|
ecf709 |
+ return ENOMEM;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = sysdb_get_view_domain_resolution_order(tmp_ctx, sysdb,
|
|
|
ecf709 |
@@ -1510,12 +1511,13 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- /* Using mem_ctx (which is rctx) directly here to avoid copying
|
|
|
ecf709 |
- * this memory around. */
|
|
|
ecf709 |
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
- mem_ctx, domains, domain_resolution_order);
|
|
|
ecf709 |
- if (cr_domains == NULL) {
|
|
|
ecf709 |
- ret = ENOMEM;
|
|
|
ecf709 |
+ if (ret == ENOENT) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
+ mem_ctx, domains, domain_resolution_order, &cr_domains);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_DEFAULT,
|
|
|
ecf709 |
"cache_req_domain_new_list_from_domain_resolution_order() "
|
|
|
ecf709 |
"failed [%d]: [%s].\n",
|
|
|
ecf709 |
@@ -1523,25 +1525,31 @@ sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ *_cr_domains = cr_domains;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
done:
|
|
|
ecf709 |
talloc_free(tmp_ctx);
|
|
|
ecf709 |
- return cr_domains;
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
-static struct cache_req_domain *
|
|
|
ecf709 |
+static errno_t
|
|
|
ecf709 |
sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
struct sss_domain_info *domains,
|
|
|
ecf709 |
struct sysdb_ctx *sysdb,
|
|
|
ecf709 |
- const char *domain)
|
|
|
ecf709 |
+ const char *domain,
|
|
|
ecf709 |
+ struct cache_req_domain **_cr_domains)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
TALLOC_CTX *tmp_ctx;
|
|
|
ecf709 |
- struct cache_req_domain *cr_domains = NULL;
|
|
|
ecf709 |
const char *domain_resolution_order = NULL;
|
|
|
ecf709 |
errno_t ret;
|
|
|
ecf709 |
|
|
|
ecf709 |
+ *_cr_domains = NULL;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
tmp_ctx = talloc_new(NULL);
|
|
|
ecf709 |
if (tmp_ctx == NULL) {
|
|
|
ecf709 |
- return NULL;
|
|
|
ecf709 |
+ return ENOMEM;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = sysdb_domain_get_domain_resolution_order(tmp_ctx, sysdb, domain,
|
|
|
ecf709 |
@@ -1554,11 +1562,13 @@ sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- /* Using mem_ctx (which is rctx) directly here to avoid copying
|
|
|
ecf709 |
- * this memory around. */
|
|
|
ecf709 |
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
- mem_ctx, domains, domain_resolution_order);
|
|
|
ecf709 |
- if (cr_domains == NULL) {
|
|
|
ecf709 |
+ if (ret == ENOENT) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
+ mem_ctx, domains, domain_resolution_order, _cr_domains);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_DEFAULT,
|
|
|
ecf709 |
"cache_req_domain_new_list_from_domain_resolution_order() "
|
|
|
ecf709 |
"failed [%d]: [%s].\n",
|
|
|
ecf709 |
@@ -1566,9 +1576,11 @@ sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
done:
|
|
|
ecf709 |
talloc_free(tmp_ctx);
|
|
|
ecf709 |
- return cr_domains;
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
|
|
|
ecf709 |
@@ -1578,16 +1590,16 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
|
|
|
ecf709 |
errno_t ret;
|
|
|
ecf709 |
|
|
|
ecf709 |
if (rctx->domain_resolution_order != NULL) {
|
|
|
ecf709 |
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
- rctx, rctx->domains, rctx->domain_resolution_order);
|
|
|
ecf709 |
-
|
|
|
ecf709 |
- if (cr_domains == NULL) {
|
|
|
ecf709 |
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
+ rctx, rctx->domains,
|
|
|
ecf709 |
+ rctx->domain_resolution_order, &cr_domains);
|
|
|
ecf709 |
+ if (ret == EOK) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ } else {
|
|
|
ecf709 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
ecf709 |
"Failed to use domain_resolution_order set in the config file.\n"
|
|
|
ecf709 |
"Trying to fallback to use ipaDomainOrderResolution setup by "
|
|
|
ecf709 |
"IPA.\n");
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -1598,9 +1610,9 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
if (dom == NULL) {
|
|
|
ecf709 |
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
- rctx, rctx->domains, NULL);
|
|
|
ecf709 |
- if (cr_domains == NULL) {
|
|
|
ecf709 |
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
+ rctx, rctx->domains, NULL, &cr_domains);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ecf709 |
"Failed to flatten the list of domains.\n");
|
|
|
ecf709 |
}
|
|
|
ecf709 |
@@ -1608,44 +1620,48 @@ errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
if (dom->has_views) {
|
|
|
ecf709 |
- cr_domains = sss_resp_new_cr_domains_from_ipa_id_view(rctx,
|
|
|
ecf709 |
- rctx->domains,
|
|
|
ecf709 |
- dom->sysdb);
|
|
|
ecf709 |
- if (cr_domains == NULL) {
|
|
|
ecf709 |
+ ret = sss_resp_new_cr_domains_from_ipa_id_view(rctx, rctx->domains,
|
|
|
ecf709 |
+ dom->sysdb,
|
|
|
ecf709 |
+ &cr_domains);
|
|
|
ecf709 |
+ if (ret == EOK) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (ret != ENOENT) {
|
|
|
ecf709 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
ecf709 |
"Failed to use ipaDomainResolutionOrder set for the "
|
|
|
ecf709 |
"view \"%s\".\n"
|
|
|
ecf709 |
"Trying to fallback to use ipaDomainOrderResolution "
|
|
|
ecf709 |
"set in ipaConfig for the domain: %s.\n",
|
|
|
ecf709 |
dom->view_name, dom->name);
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- cr_domains = sss_resp_new_cr_domains_from_ipa_config(rctx, rctx->domains,
|
|
|
ecf709 |
- dom->sysdb,
|
|
|
ecf709 |
- dom->name);
|
|
|
ecf709 |
- if (cr_domains == NULL) {
|
|
|
ecf709 |
+ ret = sss_resp_new_cr_domains_from_ipa_config(rctx, rctx->domains,
|
|
|
ecf709 |
+ dom->sysdb, dom->name,
|
|
|
ecf709 |
+ &cr_domains);
|
|
|
ecf709 |
+ if (ret == EOK) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (ret != ENOENT) {
|
|
|
ecf709 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
ecf709 |
"Failed to use ipaDomainResolutionOrder set in ipaConfig "
|
|
|
ecf709 |
"for the domain: \"%s\".\n"
|
|
|
ecf709 |
"No ipaDomainResolutionOrder will be followed.\n",
|
|
|
ecf709 |
dom->name);
|
|
|
ecf709 |
- } else {
|
|
|
ecf709 |
- goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- cr_domains = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
- rctx, rctx->domains, NULL);
|
|
|
ecf709 |
- if (cr_domains == NULL) {
|
|
|
ecf709 |
+ ret = cache_req_domain_new_list_from_domain_resolution_order(
|
|
|
ecf709 |
+ rctx, rctx->domains, NULL, &cr_domains);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to flatten the list of domains.\n");
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
-done:
|
|
|
ecf709 |
- ret = cr_domains != NULL ? EOK : ENOMEM;
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
|
|
|
ecf709 |
+done:
|
|
|
ecf709 |
cache_req_domain_list_zfree(&rctx->cr_domains);
|
|
|
ecf709 |
rctx->cr_domains = cr_domains;
|
|
|
ecf709 |
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|