LDAP: always store SID if available

Currently the string representation of a SID is only stored in the cache
for debugging purpose if SID based ID-mapping is used. This patch
unconditionally stores the SID if available to allow SID-to-name
mappings from the cache.

2 files changed, 58 insertions, 33 deletions

diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
index bb88d6c4..cb30d4bb 100644
--- a/src/providers/ldap/sdap_async_groups.c
+++ b/src/providers/ldap/sdap_async_groups.c
@@ -458,34 +458,41 @@ static int sdap_save_group(TALLOC_CTX *memctx,
     }
     DEBUG(SSSDBG_TRACE_FUNC, ("Processing group %s\n", name));
 
-    if (use_id_mapping) {
-        posix_group = true;
-
-        DEBUG(SSSDBG_TRACE_LIBS,
-              ("Mapping group [%s] objectSID to unix ID\n", name));
-
-        ret = sdap_attrs_get_sid_str(
-                tmpctx, opts->idmap_ctx, attrs,
-                opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name,
-                &sid_str);
+    /* Always store SID string if available */
+    ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs,
+                              opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name,
+                              &sid_str);
+    if (ret == EOK) {
+        ret = sysdb_attrs_add_string(group_attrs, SYSDB_SID_STR, sid_str);
         if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Could not identify objectSID: [%s]\n",
-                   strerror(ret)));
+            DEBUG(SSSDBG_MINOR_FAILURE, ("Could not add SID string: [%s]\n",
+                                         strerror(ret)));
             goto done;
         }
+    } else if (ret == ENOENT) {
+        DEBUG(SSSDBG_TRACE_ALL, ("objectSID: not available for group [%s].\n",
+                                 name));
+        sid_str = NULL;
+    } else {
+        DEBUG(SSSDBG_MINOR_FAILURE, ("Could not identify objectSID: [%s]\n",
+                                     strerror(ret)));
+        sid_str = NULL;
+    }
 
-        /* Add string representation to the cache for easier
-         * debugging
-         */
-        ret = sysdb_attrs_add_string(group_attrs, SYSDB_SID_STR, sid_str);
-        if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE,
-                  ("Could not add SID string: [%s]\n",
-                   strerror(ret)));
+    if (use_id_mapping) {
+        posix_group = true;
+
+        if (sid_str == NULL) {
+            DEBUG(SSSDBG_MINOR_FAILURE, ("SID not available, cannot map a " \
+                                         "unix ID to group [%s].\n", name));
+            ret = ENOENT;
             goto done;
         }
 
+        DEBUG(SSSDBG_TRACE_LIBS,
+              ("Mapping group [%s] objectSID [%s] to unix ID\n",
+               name, sid_str));
+
         /* Convert the SID into a UNIX group ID */
         ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid);
         if (ret == ENOTSUP) {
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
index ccd2f24e..68e646cb 100644
--- a/src/providers/ldap/sdap_async_users.c
+++ b/src/providers/ldap/sdap_async_users.c
@@ -132,22 +132,40 @@ int sdap_save_user(TALLOC_CTX *memctx,
     if (el->num_values == 0) shell = NULL;
     else shell = (const char *)el->values[0].data;
 
+    /* Always store SID string if available */
+    ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs,
+                                opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
+                                &sid_str);
+    if (ret == EOK) {
+        ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE, ("Could not add SID string: [%s]\n",
+                                         strerror(ret)));
+            goto done;
+        }
+    } else if (ret == ENOENT) {
+        DEBUG(SSSDBG_TRACE_ALL, ("objectSID: not available for group [%s].\n",
+                                 name));
+        sid_str = NULL;
+    } else {
+        DEBUG(SSSDBG_MINOR_FAILURE, ("Could not identify objectSID: [%s]\n",
+                                     strerror(ret)));
+        sid_str = NULL;
+    }
+
+
     /* Retrieve or map the UID as appropriate */
     if (use_id_mapping) {
-        DEBUG(SSSDBG_TRACE_LIBS,
-              ("Mapping user [%s] objectSID to unix ID\n", name));
 
-        ret = sdap_attrs_get_sid_str(
-                tmpctx, opts->idmap_ctx, attrs,
-                opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name,
-                &sid_str);
-        if (ret != EOK) goto done;
+        if (sid_str == NULL) {
+            DEBUG(SSSDBG_MINOR_FAILURE, ("SID not available, cannot map a " \
+                                         "unix ID to user [%s].\n", name));
+            ret = ENOENT;
+            goto done;
+        }
 
-        /* Add string representation to the cache for easier
-         * debugging
-         */
-        ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str);
-        if (ret != EOK) goto done;
+        DEBUG(SSSDBG_TRACE_LIBS,
+              ("Mapping user [%s] objectSID [%s] to unix ID\n", name, sid_str));
 
         /* Convert the SID into a UNIX user ID */
         ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid);