summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Zidek <mzidek@redhat.com>2012-08-09 14:38:23 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-08-09 19:54:01 +0200
commit4a1e58d85409fbb7a12ac244c3dbef8c0c1b15df (patch)
treeef4fce99b810ba0de827a46248fe13b37822d4cc
parentceb40cb8846ff755f841466908954087f927eae7 (diff)
downloadsssd-4a1e58d85409fbb7a12ac244c3dbef8c0c1b15df.tar.gz
sssd-4a1e58d85409fbb7a12ac244c3dbef8c0c1b15df.tar.bz2
sssd-4a1e58d85409fbb7a12ac244c3dbef8c0c1b15df.zip
SRV resolution for backup servers should not be permitted.
https://fedorahosted.org/sssd/ticket/1463
-rw-r--r--src/man/include/service_discovery.xml2
-rw-r--r--src/providers/ad/ad_common.c10
-rw-r--r--src/providers/ipa/ipa_common.c10
-rw-r--r--src/providers/krb5/krb5_common.c11
-rw-r--r--src/providers/ldap/ldap_common.c10
5 files changed, 37 insertions, 6 deletions
diff --git a/src/man/include/service_discovery.xml b/src/man/include/service_discovery.xml
index 78ebd098..5b96ad86 100644
--- a/src/man/include/service_discovery.xml
+++ b/src/man/include/service_discovery.xml
@@ -3,7 +3,7 @@
<para>
The service discovery feature allows back ends to automatically
find the appropriate servers to connect to using a special DNS
- query.
+ query. This feature is not supported for backup servers.
</para>
<refsect2 id='configuration'>
<title>Configuration</title>
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index a4703ee7..800ef131 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -152,7 +152,7 @@ ad_servers_init(TALLOC_CTX *mem_ctx,
bool primary)
{
size_t i;
- errno_t ret;
+ errno_t ret = 0;
char **list;
char *ad_domain;
TALLOC_CTX *tmp_ctx;
@@ -172,6 +172,14 @@ ad_servers_init(TALLOC_CTX *mem_ctx,
/* Add each of these servers to the failover service */
for (i = 0; list[i]; i++) {
if (be_fo_is_srv_identifier(list[i])) {
+ if (!primary) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Failed to add server [%s] to failover service: "
+ "SRV resolution only allowed for primary servers!\n",
+ list[i]));
+ continue;
+ }
+
ret = be_fo_add_srv_server(bectx, AD_SERVICE_NAME, "ldap",
ad_domain, BE_FO_PROTO_TCP,
false, NULL);
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index b5f6337d..bf62fcb9 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -806,7 +806,7 @@ errno_t ipa_servers_init(struct be_ctx *ctx,
TALLOC_CTX *tmp_ctx;
char **list = NULL;
char *ipa_domain;
- int ret;
+ int ret = 0;
int i;
tmp_ctx = talloc_new(NULL);
@@ -827,6 +827,14 @@ errno_t ipa_servers_init(struct be_ctx *ctx,
talloc_steal(service, list[i]);
if (be_fo_is_srv_identifier(list[i])) {
+ if (!primary) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Failed to add server [%s] to failover service: "
+ "SRV resolution only allowed for primary servers!\n",
+ list[i]));
+ continue;
+ }
+
ipa_domain = dp_opt_get_string(options->basic, IPA_DOMAIN);
ret = be_fo_add_srv_server(ctx, "IPA", "ldap", ipa_domain,
BE_FO_PROTO_TCP, false, NULL);
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index ad79db9d..98a2f7da 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -473,7 +473,7 @@ errno_t krb5_servers_init(struct be_ctx *ctx,
{
TALLOC_CTX *tmp_ctx;
char **list = NULL;
- errno_t ret;
+ errno_t ret = 0;
int i;
char *port_str;
long port;
@@ -493,7 +493,6 @@ errno_t krb5_servers_init(struct be_ctx *ctx,
}
for (i = 0; list[i]; i++) {
-
talloc_steal(service, list[i]);
server_spec = talloc_strdup(service, list[i]);
if (!server_spec) {
@@ -502,6 +501,14 @@ errno_t krb5_servers_init(struct be_ctx *ctx,
}
if (be_fo_is_srv_identifier(server_spec)) {
+ if (!primary) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Failed to add server [%s] to failover service: "
+ "SRV resolution only allowed for primary servers!\n",
+ list[i]));
+ continue;
+ }
+
ret = be_fo_add_srv_server(ctx, service_name, service_name, NULL,
BE_FO_PROTO_UDP, true, NULL);
if (ret) {
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 1fc5ebb5..570ec970 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1116,7 +1116,7 @@ errno_t sdap_urls_init(struct be_ctx *ctx,
char *srv_user_data;
char **list = NULL;
LDAPURLDesc *lud;
- errno_t ret;
+ errno_t ret = 0;
int i;
tmp_ctx = talloc_new(NULL);
@@ -1135,6 +1135,14 @@ errno_t sdap_urls_init(struct be_ctx *ctx,
/* now for each URI add a new server to the failover service */
for (i = 0; list[i]; i++) {
if (be_fo_is_srv_identifier(list[i])) {
+ if (!primary) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Failed to add server [%s] to failover service: "
+ "SRV resolution only allowed for primary servers!\n",
+ list[i]));
+ continue;
+ }
+
if (!dns_service_name) {
DEBUG(0, ("Missing DNS service name for service [%s].\n",
service_name));