|
 |
d15e81 |
From 215f988b07610ae55dfcb67f355bc864ddcbf72d Mon Sep 17 00:00:00 2001
|
|
|
d15e81 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
d15e81 |
Date: Tue, 28 Apr 2015 17:18:48 +0200
|
|
|
d15e81 |
Subject: [PATCH 211/214] IPA: do initgroups if extdom exop supports it
|
|
|
d15e81 |
|
|
|
d15e81 |
Newer versions of the extdom plugin return the full list of
|
|
|
d15e81 |
group-memberships during a user lookup request. With these version there
|
|
|
d15e81 |
is no need to reject a initgroups request for sub/trusted-domain users
|
|
|
d15e81 |
anymore. This is e.g. useful for callers which call getgrouplist()
|
|
|
d15e81 |
directly without calling getpwnam() before. Additionally it helps if for
|
|
|
d15e81 |
some reasons the lifetime of the user entry and the lifetime of the
|
|
|
d15e81 |
initgroups data is different.
|
|
|
d15e81 |
|
|
|
d15e81 |
Related to https://fedorahosted.org/sssd/ticket/2633
|
|
|
d15e81 |
|
|
|
d15e81 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d15e81 |
(cherry picked from commit e87badc0f6fb20a443cf12bde9582ecbc2aef727)
|
|
|
d15e81 |
(cherry picked from commit 24905d4ecbf210687e385449448f5a5ec97d2833)
|
|
|
d15e81 |
---
|
|
|
d15e81 |
src/providers/ipa/ipa_s2n_exop.c | 3 ---
|
|
|
d15e81 |
src/providers/ipa/ipa_subdomains.h | 4 ++++
|
|
|
d15e81 |
src/providers/ipa/ipa_subdomains_id.c | 24 +++++++++++++++++-------
|
|
|
d15e81 |
3 files changed, 21 insertions(+), 10 deletions(-)
|
|
|
d15e81 |
|
|
|
d15e81 |
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
d15e81 |
index 8de46136d0bc9d1c26b44c532d7bd405880aca50..03264fcd7f6f42dfa68db4f331184da32529818f 100644
|
|
|
d15e81 |
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
|
d15e81 |
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
|
d15e81 |
@@ -50,9 +50,6 @@ enum response_types {
|
|
|
d15e81 |
};
|
|
|
d15e81 |
|
|
|
d15e81 |
/* ==Sid2Name Extended Operation============================================= */
|
|
|
d15e81 |
-#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
|
|
|
d15e81 |
-#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
|
|
|
d15e81 |
-
|
|
|
d15e81 |
struct ipa_s2n_exop_state {
|
|
|
d15e81 |
struct sdap_handle *sh;
|
|
|
d15e81 |
|
|
|
d15e81 |
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
|
|
|
d15e81 |
index ceb862226b504bca6c9c596554fb88e6df1d51c3..9b179792dcab7ea935fa7159ca879d12b561a55f 100644
|
|
|
d15e81 |
--- a/src/providers/ipa/ipa_subdomains.h
|
|
|
d15e81 |
+++ b/src/providers/ipa/ipa_subdomains.h
|
|
|
d15e81 |
@@ -28,6 +28,10 @@
|
|
|
d15e81 |
#include "providers/dp_backend.h"
|
|
|
d15e81 |
#include "providers/ipa/ipa_common.h"
|
|
|
d15e81 |
|
|
|
d15e81 |
+/* ==Sid2Name Extended Operation============================================= */
|
|
|
d15e81 |
+#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4"
|
|
|
d15e81 |
+#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1"
|
|
|
d15e81 |
+
|
|
|
d15e81 |
struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx);
|
|
|
d15e81 |
|
|
|
d15e81 |
const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
|
|
|
d15e81 |
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
d15e81 |
index 0508e14b690c144f4bace9ed14a326ac724eb910..1020c8a0b9209fc7404c32963ad5622fc6958d6b 100644
|
|
|
d15e81 |
--- a/src/providers/ipa/ipa_subdomains_id.c
|
|
|
d15e81 |
+++ b/src/providers/ipa/ipa_subdomains_id.c
|
|
|
d15e81 |
@@ -375,15 +375,9 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx,
|
|
|
d15e81 |
case BE_REQ_GROUP:
|
|
|
d15e81 |
case BE_REQ_BY_SECID:
|
|
|
d15e81 |
case BE_REQ_USER_AND_GROUP:
|
|
|
d15e81 |
+ case BE_REQ_INITGROUPS:
|
|
|
d15e81 |
ret = EOK;
|
|
|
d15e81 |
break;
|
|
|
d15e81 |
- case BE_REQ_INITGROUPS:
|
|
|
d15e81 |
- ret = ENOTSUP;
|
|
|
d15e81 |
- DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
|
|
|
d15e81 |
- "by the IPA provider but are resolved " \
|
|
|
d15e81 |
- "by the responder directly from the " \
|
|
|
d15e81 |
- "cache.\n");
|
|
|
d15e81 |
- break;
|
|
|
d15e81 |
default:
|
|
|
d15e81 |
ret = EINVAL;
|
|
|
d15e81 |
DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type.\n");
|
|
|
d15e81 |
@@ -423,6 +417,22 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq)
|
|
|
d15e81 |
return;
|
|
|
d15e81 |
}
|
|
|
d15e81 |
|
|
|
d15e81 |
+ if (state->entry_type == BE_REQ_INITGROUPS) {
|
|
|
d15e81 |
+ /* With V1 of the extdom plugin a user lookup will resolve the full
|
|
|
d15e81 |
+ * group membership of the user. */
|
|
|
d15e81 |
+ if (sdap_is_extension_supported(sdap_id_op_handle(state->op),
|
|
|
d15e81 |
+ EXOP_SID2NAME_V1_OID)) {
|
|
|
d15e81 |
+ state->entry_type = BE_REQ_USER;
|
|
|
d15e81 |
+ } else {
|
|
|
d15e81 |
+ DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \
|
|
|
d15e81 |
+ "by the IPA provider but are resolved " \
|
|
|
d15e81 |
+ "by the responder directly from the " \
|
|
|
d15e81 |
+ "cache.\n");
|
|
|
d15e81 |
+ tevent_req_error(req, ENOTSUP);
|
|
|
d15e81 |
+ return;
|
|
|
d15e81 |
+ }
|
|
|
d15e81 |
+ }
|
|
|
d15e81 |
+
|
|
|
d15e81 |
req_input = talloc(state, struct req_input);
|
|
|
d15e81 |
if (req_input == NULL) {
|
|
|
d15e81 |
DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n");
|
|
|
d15e81 |
--
|
|
|
d15e81 |
2.4.3
|
|
|
d15e81 |
|