rpms / sssd

Clone
Source Code
GIT

Files

  1.   3bc8c4eef75b6341b440f0d7f9ac18b30c1a4608
  2.   SOURCES
  3.   0004-sudo-use-proper-datetime-for-default-modifyTimestamp.patch
Blob Blame History Raw 
From d15c205bed16f5d138ce5c9335ed9f4aa7d4c25c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 17 Jul 2019 11:57:23 +0200
Subject: [PATCH 4/4] sudo: use proper datetime for default modifyTimestamp
 value

The current default was simply "1", however OpenLDAP server was unable
to compare modifyTimestamp attribute to simple number. A proper datetime
is required by OpenLDAP.

It worked correctly on 389-ds.

Steps to reproduce:
1. install openldap server
2. run sssd
3. there are no sudo rules on the server and there are no cached objects
4. you'll see in the logs that sudo smart refresh uses `(&(&(objectclass=sudoRole)(modifyTimestamp>=1))...` filter (`1` instead of proper datetime value)

The minimum accepted value by OpenLDAP is 00000101000000Z, as both month and day can not be zero.

Resolves:
https://pagure.io/SSSD/sssd/issue/4046
---
 src/providers/ldap/sdap_sudo_shared.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c
index d2f24ed6e..93a977626 100644
--- a/src/providers/ldap/sdap_sudo_shared.c
+++ b/src/providers/ldap/sdap_sudo_shared.c
@@ -123,11 +123,24 @@ sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx,
 static char *
 sdap_sudo_new_usn(TALLOC_CTX *mem_ctx,
                   unsigned long usn,
-                  const char *leftover)
+                  const char *leftover,
+                  bool supports_usn)
 {
     const char *str = leftover == NULL ? "" : leftover;
     char *newusn;
 
+    /* This is a fresh start and server uses modifyTimestamp. We need to
+     * provide proper datetime value. */
+    if (!supports_usn && usn == 0) {
+        newusn = talloc_strdup(mem_ctx, "00000101000000Z");
+        if (newusn == NULL) {
+            DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n");
+            return NULL;
+        }
+
+        return newusn;
+    }
+
     /* We increment USN number so that we can later use simplify filter
      * (just usn >= last+1 instead of usn >= last && usn != last).
      */
@@ -178,7 +191,8 @@ sdap_sudo_set_usn(struct sdap_server_opts *srv_opts,
         srv_opts->last_usn = usn_number;
     }
 
-    newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr);
+    newusn = sdap_sudo_new_usn(srv_opts, srv_opts->last_usn, endptr,
+                               srv_opts->supports_usn);
     if (newusn == NULL) {
         return;
     }
-- 
2.20.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation