|
 |
ecf709 |
From 85b74b966ec1d417ce76b05cbf3351b20c0981b2 Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Wed, 17 May 2017 15:43:25 +0200
|
|
|
ecf709 |
Subject: [PATCH 164/166] ldap: handle certmap errors gracefully
|
|
|
ecf709 |
|
|
|
ecf709 |
Currently the LDAP user lookup request errors out if e.g. there is no
|
|
|
ecf709 |
matching rule for a certificate. This might cause the related domain to
|
|
|
ecf709 |
go offline.
|
|
|
ecf709 |
|
|
|
ecf709 |
With this patch the request returns that no user was found for the given
|
|
|
ecf709 |
certificate but overall result is that the request finishes
|
|
|
ecf709 |
successfully.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3405
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/ldap/ldap_id.c | 21 +++++++++++++++++++++
|
|
|
ecf709 |
1 file changed, 21 insertions(+)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
|
|
ecf709 |
index 7400dc1f57e30cc6ae5f939ffa628a1e9dd47e06..557712e8dc2b2bde664b4054fa2f8eb39df84d73 100644
|
|
|
ecf709 |
--- a/src/providers/ldap/ldap_id.c
|
|
|
ecf709 |
+++ b/src/providers/ldap/ldap_id.c
|
|
|
ecf709 |
@@ -258,6 +258,27 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
ecf709 |
if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ecf709 |
"sss_cert_derb64_to_ldap_filter failed.\n");
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ /* Typically sss_cert_derb64_to_ldap_filter() will fail if there
|
|
|
ecf709 |
+ * is no mapping rule matching the current certificate. But this
|
|
|
ecf709 |
+ * just means that no matching user can be found so we can finish
|
|
|
ecf709 |
+ * the request with this result. Even if
|
|
|
ecf709 |
+ * sss_cert_derb64_to_ldap_filter() would fail for other reason
|
|
|
ecf709 |
+ * there is no need to return an error which might cause the
|
|
|
ecf709 |
+ * domain go offline. */
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (noexist_delete) {
|
|
|
ecf709 |
+ ret = sysdb_remove_cert(state->domain, filter_value);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
ecf709 |
+ "Ignoring error while removing user certificate "
|
|
|
ecf709 |
+ "[%d]: %s\n", ret, sss_strerror(ret));
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+ state->sdap_ret = ENOENT;
|
|
|
ecf709 |
+ state->dp_error = DP_ERR_OK;
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|