From 5fcce16c212037b5193556dc2f6bcb7e4d7f0f85 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sat, 30 Jun 2018 13:21:18 +0200 Subject: [PATCH] LDAP: Remove the legacy POSIX check itself MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This code is no longer needed now. Related: https://pagure.io/SSSD/sssd/issue/3755 Reviewed-by: Pavel Březina (cherry picked from commit 5b2b6493dfb3c1f2cb945356e34c70d8c5d64185) DOWNSTREAM: Resolves: rhbz#1582975 - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers --- src/providers/ad/ad_common.c | 2 - src/providers/ldap/ldap_common.c | 17 --- src/providers/ldap/ldap_common.h | 7 -- src/providers/ldap/sdap.h | 1 - src/providers/ldap/sdap_async.c | 174 ------------------------------- src/providers/ldap/sdap_async.h | 13 --- 6 files changed, 214 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index eaf0814f1aaf51a5085e992efa633240f32c498e..6d395cfb1d4148e803a656a8f7205fe13570085b 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1388,7 +1388,6 @@ ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx, clist[cindex] = ad_ctx->gc_ctx; clist[cindex]->ignore_mark_offline = true; clist[cindex]->no_mpg_user_fallback = true; - clist[cindex]->check_posix_attrs = true; cindex++; } @@ -1435,7 +1434,6 @@ ad_user_conn_list(TALLOC_CTX *mem_ctx, && IS_SUBDOMAIN(dom)) { clist[cindex] = ad_ctx->gc_ctx; clist[cindex]->ignore_mark_offline = true; - clist[cindex]->check_posix_attrs = true; cindex++; } diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c index a0a9b8523310b2551ee992f8d0c2e369dafaa56d..9cd8ec09c7fdc6bd1c8d64da150178f483f2a5a3 100644 --- a/src/providers/ldap/ldap_common.c +++ b/src/providers/ldap/ldap_common.c @@ -884,20 +884,3 @@ sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, return sdap_ctx; } - -bool should_run_posix_check(struct sdap_id_ctx *ctx, - struct sdap_id_conn_ctx *conn, - bool use_id_mapping, - bool posix_request) -{ - if (use_id_mapping == false && - posix_request == true && - ctx->opts->schema_type == SDAP_SCHEMA_AD && - conn->check_posix_attrs == true && - ctx->srv_opts && - ctx->srv_opts->posix_checked == false) { - return true; - } - - return false; -} diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h index 3de3568cb28c258c00f9b522c0b9120adca81d81..6c08d789b339424649c938b845e7118f5ea88f73 100644 --- a/src/providers/ldap/ldap_common.h +++ b/src/providers/ldap/ldap_common.h @@ -59,8 +59,6 @@ struct sdap_id_conn_ctx { bool ignore_mark_offline; /* do not fall back to user lookups for mpg domains on this connection */ bool no_mpg_user_fallback; - /* check if this connection contains POSIX attributes */ - bool check_posix_attrs; }; struct sdap_id_ctx { @@ -309,11 +307,6 @@ char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx, const char *princ, struct dp_option *sdap_basic_opts); -bool should_run_posix_check(struct sdap_id_ctx *ctx, - struct sdap_id_conn_ctx *conn, - bool id_mapping, - bool posix_request); - char *sdap_get_access_filter(TALLOC_CTX *mem_ctx, const char *base_filter); diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h index e892c407103b18a296ae6baaf3dcfff11ca4bf31..0790544818633e26ee5a8fbdca556b8230b1df3f 100644 --- a/src/providers/ldap/sdap.h +++ b/src/providers/ldap/sdap.h @@ -511,7 +511,6 @@ struct sdap_server_opts { char *max_group_value; char *max_service_value; char *max_sudo_value; - bool posix_checked; }; struct sdap_id_ctx; diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c index 1e77b1c3c612d28a7d1f7e686cbc0b094b07c89d..8fc832ae5720acac07b0e2a24255f6c5e3d6994b 100644 --- a/src/providers/ldap/sdap_async.c +++ b/src/providers/ldap/sdap_async.c @@ -2572,180 +2572,6 @@ int sdap_asq_search_recv(struct tevent_req *req, return EOK; } -/* ==POSIX attribute presence test================================= */ -static void sdap_gc_posix_check_done(struct tevent_req *subreq); -static errno_t sdap_gc_posix_check_parse(struct sdap_handle *sh, - struct sdap_msg *msg, - void *pvt); - -struct sdap_gc_posix_check_state { - struct tevent_context *ev; - struct sdap_options *opts; - struct sdap_handle *sh; - int timeout; - - const char **attrs; - const char *filter; - - bool has_posix; -}; - -struct tevent_req * -sdap_gc_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev, - struct sdap_options *opts, struct sdap_handle *sh, - int timeout) -{ - struct tevent_req *req = NULL; - struct tevent_req *subreq = NULL; - struct sdap_gc_posix_check_state *state; - errno_t ret; - - req = tevent_req_create(memctx, &state, struct sdap_gc_posix_check_state); - if (req == NULL) { - return NULL; - } - state->ev = ev; - state->sh = sh; - state->opts = opts; - state->timeout = timeout; - - state->attrs = talloc_array(state, const char *, 4); - if (state->attrs == NULL) { - ret = ENOMEM; - goto fail; - } - state->attrs[0] = "objectclass"; - state->attrs[1] = opts->user_map[SDAP_AT_USER_UID].name; - state->attrs[2] = opts->group_map[SDAP_AT_GROUP_GID].name; - state->attrs[3] = NULL; - - state->filter = talloc_asprintf(state, - "(|(&(%s=*)(objectclass=%s))(&(%s=*)(objectclass=%s)))", - opts->user_map[SDAP_AT_USER_UID].name, - opts->user_map[SDAP_OC_USER].name, - opts->group_map[SDAP_AT_GROUP_GID].name, - opts->group_map[SDAP_OC_GROUP].name); - if (state->filter == NULL) { - ret = ENOMEM; - goto fail; - } - - subreq = sdap_get_generic_ext_send(state, state->ev, state->opts, - state->sh, - "", - LDAP_SCOPE_SUBTREE, state->filter, - state->attrs, - NULL, NULL, 1, state->timeout, - sdap_gc_posix_check_parse, state, - SDAP_SRCH_FLG_SIZELIMIT_SILENT); - if (subreq == NULL) { - ret = ENOMEM; - goto fail; - } - tevent_req_set_callback(subreq, sdap_gc_posix_check_done, req); - - return req; - -fail: - tevent_req_error(req, ret); - tevent_req_post(req, ev); - return req; -} - -static errno_t sdap_gc_posix_check_parse(struct sdap_handle *sh, - struct sdap_msg *msg, - void *pvt) -{ - struct berval **vals = NULL; - struct sdap_gc_posix_check_state *state = - talloc_get_type(pvt, struct sdap_gc_posix_check_state); - char *dn; - char *endptr; - - dn = ldap_get_dn(sh->ldap, msg->msg); - if (dn == NULL) { - DEBUG(SSSDBG_TRACE_LIBS, - "Search did not find any entry with POSIX attributes\n"); - goto done; - } - DEBUG(SSSDBG_TRACE_LIBS, "Found [%s] with POSIX attributes\n", dn); - ldap_memfree(dn); - - vals = ldap_get_values_len(sh->ldap, msg->msg, - state->opts->user_map[SDAP_AT_USER_UID].name); - if (vals == NULL) { - vals = ldap_get_values_len(sh->ldap, msg->msg, - state->opts->group_map[SDAP_AT_GROUP_GID].name); - if (vals == NULL) { - DEBUG(SSSDBG_TRACE_LIBS, "Entry does not have POSIX attrs?\n"); - goto done; - } - } - - if (vals[0] == NULL) { - DEBUG(SSSDBG_TRACE_LIBS, "No value for POSIX attr\n"); - goto done; - } - - errno = 0; - strtouint32(vals[0]->bv_val, &endptr, 10); - if (errno || *endptr || (vals[0]->bv_val == endptr)) { - DEBUG(SSSDBG_MINOR_FAILURE, - "POSIX attribute is not a number: %s\n", vals[0]->bv_val); - } - - state->has_posix = true; -done: - ldap_value_free_len(vals); - return EOK; -} - -static void sdap_gc_posix_check_done(struct tevent_req *subreq) -{ - struct tevent_req *req = tevent_req_callback_data(subreq, - struct tevent_req); - struct sdap_gc_posix_check_state *state = - tevent_req_data(req, struct sdap_gc_posix_check_state); - errno_t ret; - - ret = sdap_get_generic_ext_recv(subreq, NULL, NULL, NULL); - talloc_zfree(subreq); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sdap_get_generic_ext_recv failed [%d]: %s\n", - ret, strerror(ret)); - tevent_req_error(req, ret); - return; - } - - /* Positive hit is definitive, no need to search other bases */ - if (state->has_posix == true) { - DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will " - "be used for user and group lookups. Note that if " - "only a subset of POSIX attributes is present " - "in GC, the non-replicated attributes are " - "currently not read from the LDAP port\n"); - tevent_req_done(req); - return; - } - - /* All bases done! */ - DEBUG(SSSDBG_TRACE_LIBS, "Cycled through all bases\n"); - tevent_req_done(req); -} - -int sdap_gc_posix_check_recv(struct tevent_req *req, - bool *_has_posix) -{ - struct sdap_gc_posix_check_state *state = tevent_req_data(req, - struct sdap_gc_posix_check_state); - - TEVENT_REQ_RETURN_ON_ERROR(req); - - *_has_posix = state->has_posix; - return EOK; -} - /* ==Generic Deref Search============================================ */ enum sdap_deref_type { SDAP_DEREF_OPENLDAP, diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index 6ca3ed8d82ea7e4cb049b1c65c639b2773b8c296..6d09aca7a3465df4503991f0dc82e2af3871ccd5 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -281,19 +281,6 @@ int sdap_deref_search_recv(struct tevent_req *req, size_t *reply_count, struct sdap_deref_attrs ***reply); -/* - * This request should only be ran against a Global Catalog connection - * because it uses a NULL search base to search all domains in the forest, - * which would return an error with an LDAP port: - * https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx - */ -struct tevent_req * -sdap_gc_posix_check_send(TALLOC_CTX *memctx, struct tevent_context *ev, - struct sdap_options *opts, struct sdap_handle *sh, - int timeout); - -int sdap_gc_posix_check_recv(struct tevent_req *req, - bool *_has_posix); struct tevent_req * sdap_sd_search_send(TALLOC_CTX *memctx, -- 2.17.1