summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2012-04-21 10:33:15 -0400
committerStephen Gallagher <sgallagh@redhat.com>2012-05-03 14:09:14 -0400
commit1a79825cfbbd26ef12ad085487247e5adf4d657d (patch)
tree8a8c62bf6f065484029524dc9a0deb8f3263a02d
parent45f75fc8e98092fa48faa3d180fd42f7efd51486 (diff)
downloadsssd-1a79825cfbbd26ef12ad085487247e5adf4d657d.tar.gz
sssd-1a79825cfbbd26ef12ad085487247e5adf4d657d.tar.bz2
sssd-1a79825cfbbd26ef12ad085487247e5adf4d657d.zip
LDAP: Allow automatically-provisioning a domain and range
If we get a user who is a member of a domain we haven't seen before, add a domain entry (auto-assigning its slice). Since we don't know the domain's real name, we'll just save the domain SID string as the name as well.
-rw-r--r--src/providers/ldap/sdap_async_users.c46
1 files changed, 43 insertions, 3 deletions
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index 5f8875a5..9aa09da9 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -58,6 +58,7 @@ int sdap_save_user(TALLOC_CTX *memctx,
bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING);
struct dom_sid *dom_sid;
char *sid_str;
+ char *dom_sid_str;
enum idmap_error_code err;
DEBUG(9, ("Save user\n"));
@@ -117,6 +118,9 @@ int sdap_save_user(TALLOC_CTX *memctx,
/* Retrieve or map the UID as appropriate */
if (use_id_mapping) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("Mapping user [%s] objectSID to unix ID\n", name));
+
ret = sysdb_attrs_get_el(attrs,
opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
&el);
@@ -145,13 +149,49 @@ int sdap_save_user(TALLOC_CTX *memctx,
if (ret != EOK) goto fail;
/* Convert the SID into a UNIX user ID */
- err = sss_idmap_sid_to_unix(
- opts->idmap_ctx->map,
+ err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
sid_str,
(uint32_t *)&uid);
- if (err != IDMAP_SUCCESS) {
+ if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not convert objectSID [%s] to a UNIX ID\n",
+ sid_str));
ret = EIO;
goto fail;
+ } else if (err == IDMAP_NO_DOMAIN) {
+ /* This is the first time we've seen this domain
+ * Create a new domain for it. We'll use the dom-sid
+ * as the domain name for now, since we don't have
+ * any way to get the real name.
+ */
+ ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str,
+ &dom_sid_str);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not parse domain SID from [%s]\n", sid_str));
+ goto fail;
+ }
+
+ ret = sdap_idmap_add_domain(opts->idmap_ctx,
+ dom_sid_str, dom_sid_str,
+ -1);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not add new domain for sid [%s]\n", sid_str));
+ goto fail;
+ }
+
+ /* Now try converting to a UNIX ID again */
+ err = sss_idmap_sid_to_unix(opts->idmap_ctx->map,
+ sid_str,
+ (uint32_t *)&uid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Could not convert objectSID [%s] to a UNIX ID\n",
+ sid_str));
+ ret = EIO;
+ goto fail;
+ }
}
} else {