From 8441030009c22daa835f89dbc36365415524b320 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 31 Mar 2017 17:12:56 +0200 Subject: [PATCH 114/118] CONFDB: Fix standalone application domains MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a standalone application domain was configured, for example: ------------------------------------------------- [sssd] domains = appdomain [application/appdomain] id_provider=ldap ldap_uri = ldap://dc.ipa.test ldap_search_base = cn=accounts,dc=ipa,dc=test ldap_schema = rfc2307bis sudo_provider = none ldap_sasl_mech = gssapi krb5_realm = IPA.TEST krb5_server = dc.ipa.test ldap_user_uid_number = telephonenumber ldap_user_gid_number = mobile ldap_user_extra_attrs = location:l ------------------------------------------------- We would, when unrolling the application section into a domain section, first add a domain stub, equivalent to: ----------------------------- [domain/appdomain] domain_type = application ----------------------------- Which in config.ldb also contains cn. Then, whem we would add the parameters from the [application] section, but try to add the cn again. This didn't happen when inheriting from a POSIX domain, because there we would set LDB_FLAG_REPLACE for any attributes that exist in the inherited domain. This patch skips the cn attribute both when replacing an inherited domain's attributes and when writing a standalone application domain. Resolves: https://pagure.io/SSSD/sssd/issue/3355 Reviewed-by: Pavel Březina (cherry picked from commit 734e73257fff1c1884b72b8cf988f6d75c3a7567) --- src/confdb/confdb.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 88e114457deac3ca50c291a131122624fb6f6fe4..5bb593de03cc2fb26218b883fd1d753e31bedc2d 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1909,7 +1909,7 @@ static int confdb_add_app_domain(TALLOC_CTX *mem_ctx, cdb_path = talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL, name); if (cdb_path == NULL) { - return ENOMEM; + return ENOMEM; } val[0] = CONFDB_DOMAIN_TYPE_APP; @@ -1933,6 +1933,7 @@ static int confdb_merge_parent_domain(const char *name, struct ldb_message *replace_msg = NULL; struct ldb_message *app_msg = NULL; struct ldb_dn *domain_dn; + struct ldb_message_element *el = NULL; TALLOC_CTX *tmp_ctx = NULL; tmp_ctx = talloc_new(NULL); @@ -1974,6 +1975,12 @@ static int confdb_merge_parent_domain(const char *name, replace_msg->elements[i].flags = LDB_FLAG_MOD_ADD; } + el = ldb_msg_find_element(replace_msg, "cn"); + if (el != NULL) { + /* Don't add second cn */ + ldb_msg_remove_element(replace_msg, el); + } + ret = ldb_modify(cdb->ldb, replace_msg); if (ret != LDB_SUCCESS) { ret = sysdb_error_to_errno(ret); @@ -1993,7 +2000,14 @@ static int confdb_merge_parent_domain(const char *name, app_msg->dn = domain_dn; for (unsigned i = 0; i < app_section->msgs[0]->num_elements; i++) { - struct ldb_message_element *el = NULL; + struct ldb_message_element *app_el = &app_section->msgs[0]->elements[i]; + + /* These elements will be skipped when replacing attributes in + * a domain to avoid EEXIST errors + */ + if (strcasecmp(app_el->name, "cn") == 0) { + continue; + } if (replace_msg != NULL) { el = ldb_msg_find_element(replace_msg, @@ -2013,12 +2027,16 @@ static int confdb_merge_parent_domain(const char *name, ret = ldb_msg_add(app_msg, &app_section->msgs[0]->elements[i], ldb_flag); - if (ret != EOK) { + if (ret != LDB_SUCCESS) { continue; } } - ret = ldb_modify(cdb->ldb, app_msg); + /* We use permissive modification here because adding cn or + * distinguishedName from the app_section to the application + * message would throw EEXIST + */ + ret = sss_ldb_modify_permissive(cdb->ldb, app_msg); if (ret != LDB_SUCCESS) { ret = sysdb_error_to_errno(ret); DEBUG(SSSDBG_OP_FAILURE, -- 2.9.3