|
 |
ecf709 |
From f994343e9ffc8f8d2917678ae61bcdf68c316a20 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
|
ecf709 |
Date: Tue, 9 May 2017 11:21:02 +0200
|
|
|
ecf709 |
Subject: [PATCH 131/131] AD SUBDOMAINS: Fix search bases for child domains
|
|
|
ecf709 |
|
|
|
ecf709 |
When using direct AD integration, child domains did not respect
|
|
|
ecf709 |
the sssd.conf configuration of search bases.
|
|
|
ecf709 |
|
|
|
ecf709 |
There were few issues all of which are fixed in this small
|
|
|
ecf709 |
patch.
|
|
|
ecf709 |
|
|
|
ecf709 |
First problem was that the sdap domain list was not properly
|
|
|
ecf709 |
inherited from the parent in the child domains and the children
|
|
|
ecf709 |
always created their own sdap domains lists that were disconnected
|
|
|
ecf709 |
from the parent context and never used.
|
|
|
ecf709 |
|
|
|
ecf709 |
Second issue was that the child domain did not call the function
|
|
|
ecf709 |
to reinit the search bases after the sdap_domain was added to the
|
|
|
ecf709 |
list of sdap domains. This caused that child domains always used
|
|
|
ecf709 |
automatically detected search bases and never used the configured
|
|
|
ecf709 |
ones even though they were properly read into the ID options
|
|
|
ecf709 |
context attached to the subdomain.
|
|
|
ecf709 |
|
|
|
ecf709 |
Also there has been an issue that the sdap search bases
|
|
|
ecf709 |
were rewritten by the new child domain initialization
|
|
|
ecf709 |
(this only happened with more than one child domain)
|
|
|
ecf709 |
because the sdap domain list was 'updated' every time
|
|
|
ecf709 |
a new child domain was initialized, which caused that
|
|
|
ecf709 |
only the main domain and the last child domain had proper
|
|
|
ecf709 |
search bases, the others only the auto-discovered ones
|
|
|
ecf709 |
(because they were overwritten with the 'update').
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3397
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/ad/ad_subdomains.c | 17 +++++++++++++++++
|
|
|
ecf709 |
src/providers/ldap/sdap_domain.c | 5 +++++
|
|
|
ecf709 |
2 files changed, 22 insertions(+)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
|
|
ecf709 |
index ef166446e837c3f7cd824c1abf4b5cc587aec9da..c9b79dd9d6840802cddc067eef9d5110cf8d0778 100644
|
|
|
ecf709 |
--- a/src/providers/ad/ad_subdomains.c
|
|
|
ecf709 |
+++ b/src/providers/ad/ad_subdomains.c
|
|
|
ecf709 |
@@ -221,6 +221,9 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
ecf709 |
ad_id_ctx->sdap_id_ctx->opts = ad_options->id;
|
|
|
ecf709 |
ad_options->id_ctx = ad_id_ctx;
|
|
|
ecf709 |
|
|
|
ecf709 |
+ /* We need to pass the sdap list from parent */
|
|
|
ecf709 |
+ ad_id_ctx->sdap_id_ctx->opts->sdom = id_ctx->sdap_id_ctx->opts->sdom;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
/* use AD plugin */
|
|
|
ecf709 |
srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx->be_res,
|
|
|
ecf709 |
default_host_dbs,
|
|
|
ecf709 |
@@ -257,6 +260,13 @@ ad_subdom_ad_ctx_new(struct be_ctx *be_ctx,
|
|
|
ecf709 |
ad_id_ctx->sdap_id_ctx->opts->idmap_ctx =
|
|
|
ecf709 |
id_ctx->sdap_id_ctx->opts->idmap_ctx;
|
|
|
ecf709 |
|
|
|
ecf709 |
+ ret = ad_set_search_bases(ad_options->id, sdom);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to set LDAP search bases for "
|
|
|
ecf709 |
+ "domain '%s'. Will try to use automatically detected search "
|
|
|
ecf709 |
+ "bases.", subdom->name);
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
*_subdom_id_ctx = ad_id_ctx;
|
|
|
ecf709 |
return EOK;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
@@ -621,6 +631,13 @@ ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx,
|
|
|
ecf709 |
return ret;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ ret = ad_set_search_bases(ctx->ad_id_ctx->ad_options->id, ctx->sdom);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_MINOR_FAILURE, "failed to set ldap search bases for "
|
|
|
ecf709 |
+ "domain '%s'. will try to use automatically detected search "
|
|
|
ecf709 |
+ "bases.", ctx->sdom->dom->name);
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
DLIST_FOR_EACH(sditer, ctx->sdom) {
|
|
|
ecf709 |
if (IS_SUBDOMAIN(sditer->dom) && sditer->pvt == NULL) {
|
|
|
ecf709 |
ret = ad_subdom_ad_ctx_new(ctx->be_ctx, ctx->ad_id_ctx,
|
|
|
ecf709 |
diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c
|
|
|
ecf709 |
index 5cba9df0fd5fb320a57adc39093283aed865f57f..d384b2e4a0ec3a7c8d0b05e0ce735feb2189085f 100644
|
|
|
ecf709 |
--- a/src/providers/ldap/sdap_domain.c
|
|
|
ecf709 |
+++ b/src/providers/ldap/sdap_domain.c
|
|
|
ecf709 |
@@ -154,6 +154,11 @@ sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx,
|
|
|
ecf709 |
parent->name, ret, strerror(ret));
|
|
|
ecf709 |
return ret;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
+ } else if (sditer->search_bases != NULL) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ecf709 |
+ "subdomain %s has already initialized search bases\n",
|
|
|
ecf709 |
+ dom->name);
|
|
|
ecf709 |
+ continue;
|
|
|
ecf709 |
} else {
|
|
|
ecf709 |
sdom = sditer;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|