|
 |
ecf709 |
From e3b29c9f95d5a5ff007000b254143c337ef0b0dc Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Fri, 19 May 2017 12:52:47 +0200
|
|
|
ecf709 |
Subject: [PATCH 138/138] ipa: filter IPA users from extdom lookups by
|
|
|
ecf709 |
certificate
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
The extdom lookup by certificate will return the names of all matching
|
|
|
ecf709 |
users, both from the IPA and trusted domains. The IPA users from the
|
|
|
ecf709 |
list should not be looked up via the extdom plugin because they are
|
|
|
ecf709 |
already lookup up directly. Additionally the lookup might fail and cause
|
|
|
ecf709 |
an error which might prevent that the remaining users from the list are
|
|
|
ecf709 |
looked up.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves https://pagure.io/SSSD/sssd/issue/3407
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit eb7095099b2dd0afb1d028dbc15d8c5a897d90f8)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/ipa/ipa_s2n_exop.c | 35 ++++++++++++++++++++++++++++++-----
|
|
|
ecf709 |
1 file changed, 30 insertions(+), 5 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
ecf709 |
index f5f4401f86615dc7f81f844e1096ad43e965c384..15904e0197919c34b1bce58b4bd2c070f99b67a7 100644
|
|
|
ecf709 |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
ecf709 |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
ecf709 |
@@ -792,6 +792,7 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
char **name_list = NULL;
|
|
|
ecf709 |
ber_len_t ber_len;
|
|
|
ecf709 |
char *fq_name = NULL;
|
|
|
ecf709 |
+ struct sss_domain_info *root_domain = NULL;
|
|
|
ecf709 |
|
|
|
ecf709 |
if (retoid == NULL || retdata == NULL) {
|
|
|
ecf709 |
DEBUG(SSSDBG_OP_FAILURE, "Missing OID or data.\n");
|
|
|
ecf709 |
@@ -965,6 +966,8 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ root_domain = get_domains_head(dom);
|
|
|
ecf709 |
+
|
|
|
ecf709 |
while (ber_peek_tag(ber, &ber_len) == LBER_SEQUENCE) {
|
|
|
ecf709 |
tag = ber_scanf(ber, "{aa}", &domain_name, &name);
|
|
|
ecf709 |
if (tag == LBER_ERROR) {
|
|
|
ecf709 |
@@ -983,7 +986,12 @@ static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
DEBUG(SSSDBG_TRACE_ALL, "[%s][%s][%s].\n", domain_name, name,
|
|
|
ecf709 |
fq_name);
|
|
|
ecf709 |
|
|
|
ecf709 |
- ret = add_string_to_list(attrs, fq_name, &name_list);
|
|
|
ecf709 |
+ if (strcasecmp(root_domain->name, domain_name) != 0) {
|
|
|
ecf709 |
+ ret = add_string_to_list(attrs, fq_name, &name_list);
|
|
|
ecf709 |
+ } else {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
|
ecf709 |
+ "[%s] from root domain, skipping.\n", fq_name);
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
ber_memfree(domain_name);
|
|
|
ecf709 |
ber_memfree(name);
|
|
|
ecf709 |
talloc_free(fq_name);
|
|
|
ecf709 |
@@ -1228,7 +1236,7 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
|
|
|
ecf709 |
|
|
|
ecf709 |
break;
|
|
|
ecf709 |
default:
|
|
|
ecf709 |
- DEBUG(SSSDBG_OP_FAILURE, "Unexpected inoput type [%d].\n",
|
|
|
ecf709 |
+ DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n",
|
|
|
ecf709 |
state->req_input.type);
|
|
|
ecf709 |
return EINVAL;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
@@ -1247,9 +1255,10 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req)
|
|
|
ecf709 |
|
|
|
ecf709 |
if (state->req_input.type == REQ_INP_NAME
|
|
|
ecf709 |
&& state->req_input.inp.name != NULL) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_TRACE_FUNC, "Sending request_type: [%s] for group [%s].\n",
|
|
|
ecf709 |
- ipa_s2n_reqtype2str(state->request_type),
|
|
|
ecf709 |
- state->list[state->list_idx]);
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
ecf709 |
+ "Sending request_type: [%s] for object [%s].\n",
|
|
|
ecf709 |
+ ipa_s2n_reqtype2str(state->request_type),
|
|
|
ecf709 |
+ state->list[state->list_idx]);
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
subreq = ipa_s2n_exop_send(state, state->ev, state->sh, need_v1,
|
|
|
ecf709 |
@@ -1886,6 +1895,13 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq)
|
|
|
ecf709 |
|
|
|
ecf709 |
if (state->simple_attrs->response_type == RESP_NAME_LIST
|
|
|
ecf709 |
&& state->req_input->type == REQ_INP_CERT) {
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (state->simple_attrs->name_list == NULL) {
|
|
|
ecf709 |
+ /* No results from sub-domains, nothing to do */
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
state->mapped_attrs = sysdb_new_attrs(state);
|
|
|
ecf709 |
if (state->mapped_attrs == NULL) {
|
|
|
ecf709 |
DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
|
|
|
ecf709 |
@@ -2640,6 +2656,15 @@ static void ipa_s2n_get_list_done(struct tevent_req *subreq)
|
|
|
ecf709 |
return;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
+ if (state->attrs == NULL) {
|
|
|
ecf709 |
+ /* If this is a request by certificate we are done */
|
|
|
ecf709 |
+ if (state->req_input->type == REQ_INP_CERT) {
|
|
|
ecf709 |
+ tevent_req_done(req);
|
|
|
ecf709 |
+ } else {
|
|
|
ecf709 |
+ tevent_req_error(req, EINVAL);
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
ret = sysdb_attrs_get_string(state->attrs->sysdb_attrs, SYSDB_SID_STR,
|
|
|
ecf709 |
&sid_str);
|
|
|
ecf709 |
if (ret == ENOENT) {
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|