From 2ea997d55fb7b18bbf153d5fa625b688285dfdb9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 24 Jan 2014 10:02:23 +0100 Subject: [PATCH 62/62] LDAP: Don't abort request if no id mapping domain matches If an ID was requested from the back end, but no ID mapping domain matched, the request ended with a scary error message. It's better to treat the request as if no such ID was found in the domain Related: https://fedorahosted.org/sssd/ticket/2200 --- src/providers/ad/ad_id.c | 2 +- src/providers/ldap/ldap_id.c | 44 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index ada47753fb337641df582a5a59affe8124fc2035..e74653b734010712ff0562ce1bcbad2b03aba27e 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -386,7 +386,7 @@ ad_account_info_complete(struct tevent_req *req) error_text = NULL; } else { DEBUG(SSSDBG_FATAL_FAILURE, - ("Bug: dp_error is OK on failed request")); + ("Bug: dp_error is OK on failed request\n")); dp_error = DP_ERR_FATAL; error_text = req_error_text; } diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 793bc99ebcec883be7db3fc9dd56fa511d8ba3bb..e36c1f697c18e865a47d991dad103fc440456118 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -129,7 +129,20 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, /* Convert the UID to its objectSID */ err = sss_idmap_unix_to_sid(ctx->opts->idmap_ctx->map, uid, &sid); - if (err != IDMAP_SUCCESS) { + if (err == IDMAP_NO_DOMAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("[%s] did not match any configured ID mapping domain\n", + name)); + + ret = sysdb_delete_user(state->sysdb, + state->domain, NULL, uid); + if (ret == ENOENT) { + /* Ignore errors to remove users that were not cached previously */ + ret = EOK; + } + + goto fail; + } else if (err != IDMAP_SUCCESS) { DEBUG(SSSDBG_MINOR_FAILURE, ("Mapping ID [%s] to SID failed: [%s]\n", name, idmap_error_string(err))); @@ -213,7 +226,11 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, return req; fail: - tevent_req_error(req, ret); + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } tevent_req_post(req, ev); return req; } @@ -496,10 +513,23 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, goto fail; } - /* Convert the UID to its objectSID */ + /* Convert the GID to its objectSID */ err = sss_idmap_unix_to_sid(ctx->opts->idmap_ctx->map, gid, &sid); - if (err != IDMAP_SUCCESS) { + if (err == IDMAP_NO_DOMAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("[%s] did not match any configured ID mapping domain\n", + name)); + + ret = sysdb_delete_group(state->sysdb, + state->domain, NULL, gid); + if (ret == ENOENT) { + /* Ignore errors to remove users that were not cached previously */ + ret = EOK; + } + + goto fail; + } else if (err != IDMAP_SUCCESS) { DEBUG(SSSDBG_MINOR_FAILURE, ("Mapping ID [%s] to SID failed: [%s]\n", name, idmap_error_string(err))); @@ -587,7 +617,11 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, return req; fail: - tevent_req_error(req, ret); + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } tevent_req_post(req, ev); return req; } -- 1.8.4.2