summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-08-08 12:04:11 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-08-19 22:32:34 +0200
commit75dd4b05e1dacc76dc9d5f16be31978f84a71dc5 (patch)
treec01533ef057253df9b22d83db188744a554923c2
parentfd04fbbf93d33db729404cdc4408f59226025ea6 (diff)
downloadsssd-75dd4b05e1dacc76dc9d5f16be31978f84a71dc5.tar.gz
sssd-75dd4b05e1dacc76dc9d5f16be31978f84a71dc5.tar.bz2
sssd-75dd4b05e1dacc76dc9d5f16be31978f84a71dc5.zip
sysdb_add_incomplete_group: store SID string is available
During initgroups request we read the SID of a group from the server but do not save it to the cache. This patch fixes this and might help to avoid an additional lookup of the SID later.
-rw-r--r--src/db/sysdb.h4
-rw-r--r--src/db/sysdb_ops.c6
-rw-r--r--src/providers/ldap/sdap_async_initgroups.c25
-rw-r--r--src/providers/ldap/sdap_async_initgroups_ad.c2
-rw-r--r--src/tests/sysdb-tests.c49
5 files changed, 72 insertions, 14 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7b02b344..96679007 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -614,7 +614,9 @@ int sysdb_add_incomplete_group(struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
const char *name,
gid_t gid,
- const char *original_dn, bool posix,
+ const char *original_dn,
+ const char *sid_str,
+ bool posix,
time_t now);
/* Add netgroup (only basic attrs and w/o checks) */
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index ff8fb008..45f3289b 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1409,6 +1409,7 @@ int sysdb_add_incomplete_group(struct sysdb_ctx *sysdb,
const char *name,
gid_t gid,
const char *original_dn,
+ const char *sid_str,
bool posix,
time_t now)
{
@@ -1450,6 +1451,11 @@ int sysdb_add_incomplete_group(struct sysdb_ctx *sysdb,
if (ret) goto done;
}
+ if (sid_str) {
+ ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, sid_str);
+ if (ret) goto done;
+ }
+
ret = sysdb_set_group_attr(sysdb, domain, name, attrs, SYSDB_MOD_REP);
done:
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 9a46dc9b..aa0ea4c1 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -48,7 +48,7 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
bool in_transaction = false;
bool posix;
time_t now;
- char *sid_str;
+ char *sid_str = NULL;
bool use_id_mapping;
char *tmp_name;
@@ -127,16 +127,24 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
if (strcmp(groupname, missing[i]) == 0) {
posix = true;
+ ret = sdap_attrs_get_sid_str(
+ tmp_ctx, opts->idmap_ctx, ldap_groups[ai],
+ opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name,
+ &sid_str);
+ if (ret != EOK && ret != ENOENT) goto done;
+
if (use_id_mapping) {
+ if (sid_str == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("No SID for group [%s] " \
+ "while id-mapping.\n",
+ groupname));
+ ret = EINVAL;
+ goto done;
+ }
+
DEBUG(SSSDBG_TRACE_LIBS,
("Mapping group [%s] objectSID to unix ID\n", groupname));
- ret = sdap_attrs_get_sid_str(
- tmp_ctx, opts->idmap_ctx, ldap_groups[ai],
- opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name,
- &sid_str);
- if (ret != EOK) goto done;
-
DEBUG(SSSDBG_TRACE_INTERNAL,
("Group [%s] has objectSID [%s]\n",
groupname, sid_str));
@@ -187,7 +195,8 @@ static errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb,
DEBUG(SSSDBG_TRACE_INTERNAL,
("Adding fake group %s to sysdb\n", groupname));
ret = sysdb_add_incomplete_group(sysdb, domain, groupname, gid,
- original_dn, posix, now);
+ original_dn, sid_str, posix,
+ now);
if (ret != EOK) {
goto done;
}
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 89789204..e5649a2b 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -496,7 +496,7 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq)
ret = sysdb_add_incomplete_group(state->sysdb,
state->domain,
group_name, gid,
- NULL, false, now);
+ NULL, sid_str, false, now);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Could not create incomplete group: [%s]\n",
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index a4ca92a6..60a20c8b 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -271,7 +271,7 @@ static int test_add_incomplete_group(struct test_data *data)
ret = sysdb_add_incomplete_group(data->ctx->sysdb,
data->ctx->domain, data->groupname,
- data->gid, NULL, true, 0);
+ data->gid, NULL, NULL, true, 0);
return ret;
}
@@ -3918,7 +3918,7 @@ START_TEST(test_odd_characters)
/* Add */
ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain,
- odd_groupname, 20000, NULL, true, 0);
+ odd_groupname, 20000, NULL, NULL, true, 0);
fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]",
ret, strerror(ret));
@@ -4446,14 +4446,14 @@ START_TEST(test_sysdb_original_dn_case_insensitive)
ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain,
"case_sensitive_group1", 29000,
"cn=case_sensitive_group1,cn=example,cn=com",
- true, 0);
+ NULL, true, 0);
fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]",
ret, strerror(ret));
ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain,
"case_sensitive_group2", 29001,
"cn=CASE_SENSITIVE_GROUP1,cn=EXAMPLE,cn=COM",
- true, 0);
+ NULL, true, 0);
fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]",
ret, strerror(ret));
@@ -4475,6 +4475,44 @@ START_TEST(test_sysdb_original_dn_case_insensitive)
}
END_TEST
+START_TEST(test_sysdb_group_sid_str)
+{
+ errno_t ret;
+ struct sysdb_test_ctx *test_ctx;
+ const char *filter;
+ struct ldb_dn *base_dn;
+ const char *no_attrs[] = { NULL };
+ struct ldb_message **msgs;
+ size_t num_msgs;
+
+ /* Setup */
+ ret = setup_sysdb_tests(&test_ctx);
+ fail_if(ret != EOK, "Could not set up the test");
+
+ ret = sysdb_add_incomplete_group(test_ctx->sysdb, test_ctx->domain,
+ "group", 29000,
+ "cn=group,cn=example,cn=com",
+ "S-1-2-3-4", true, 0);
+ fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]",
+ ret, strerror(ret));
+
+ filter = talloc_asprintf(test_ctx, "%s=%s", SYSDB_SID_STR, "S-1-2-3-4");
+ fail_if(filter == NULL, "Cannot construct filter\n");
+
+ base_dn = sysdb_domain_dn(test_ctx->sysdb, test_ctx, test_ctx->domain);
+ fail_if(base_dn == NULL, "Cannot construct basedn\n");
+
+ ret = sysdb_search_entry(test_ctx, test_ctx->sysdb,
+ base_dn, LDB_SCOPE_SUBTREE, filter, no_attrs,
+ &num_msgs, &msgs);
+ fail_unless(ret == EOK, "cache search error [%d][%s]",
+ ret, strerror(ret));
+ fail_unless(num_msgs == 1, "Did not find the expected number of entries using "
+ "SID string search");
+}
+END_TEST
+
+
START_TEST(test_sysdb_subdomain_create)
{
struct sysdb_test_ctx *test_ctx;
@@ -5063,6 +5101,9 @@ Suite *create_sysdb_suite(void)
/* Test originalDN searches */
tcase_add_test(tc_sysdb, test_sysdb_original_dn_case_insensitive);
+ /* Test SID string group searches */
+ tcase_add_test(tc_sysdb, test_sysdb_group_sid_str);
+
/* Test user and group renames */
tcase_add_test(tc_sysdb, test_group_rename);
tcase_add_test(tc_sysdb, test_user_rename);