summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-09-25 18:33:11 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-09-27 15:52:13 +0200
commitd3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b (patch)
tree02e9af84a72e6a1f32d1a35b1c567935e3415ce4
parente2f37d4488c45921e87f07d8a911ac7dd5b94f53 (diff)
downloadsssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.tar.gz
sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.tar.bz2
sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.zip
LDAP: Require ID numbers when ID mapping is off
Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC.
-rw-r--r--src/providers/ldap/ldap_id.c25
-rw-r--r--src/providers/ldap/sdap_async_initgroups.c59
2 files changed, 77 insertions, 7 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 5fd05ebb..162d987b 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -169,9 +169,28 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
goto fail;
}
- state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
- attr_name, clean_name,
- ctx->opts->user_map[SDAP_OC_USER].name);
+ if (use_id_mapping || filter_type == BE_FILTER_SECID) {
+ /* When mapping IDs or looking for SIDs, we don't want to limit
+ * ourselves to users with a UID value. But there must be a SID to map
+ * from.
+ */
+ state->filter = talloc_asprintf(state,
+ "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ attr_name, clean_name,
+ ctx->opts->user_map[SDAP_OC_USER].name,
+ ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+ ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
+ } else {
+ /* When not ID-mapping, make sure there is a non-NULL UID */
+ state->filter = talloc_asprintf(state,
+ "(&(%s=%s)(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))",
+ attr_name, clean_name,
+ ctx->opts->user_map[SDAP_OC_USER].name,
+ ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+ ctx->opts->user_map[SDAP_AT_USER_UID].name,
+ ctx->opts->user_map[SDAP_AT_USER_UID].name);
+ }
+
talloc_zfree(clean_name);
if (!state->filter) {
DEBUG(2, ("Failed to build the base filter\n"));
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index e645067b..157cf744 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -1442,7 +1442,7 @@ struct sdap_initgr_rfc2307bis_state {
struct sss_domain_info *dom;
struct sdap_handle *sh;
const char *name;
- const char *base_filter;
+ char *base_filter;
char *filter;
const char **attrs;
const char *orig_dn;
@@ -1493,6 +1493,7 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
struct sdap_initgr_rfc2307bis_state *state;
const char **attr_filter;
char *clean_orig_dn;
+ bool use_id_mapping;
req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307bis_state);
if (!req) return NULL;
@@ -1540,8 +1541,11 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
ret = sss_filter_sanitize(state, orig_dn, &clean_orig_dn);
if (ret != EOK) goto done;
+ use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx,
+ dom->domain_id);
+
state->base_filter =
- talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))",
+ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)",
opts->group_map[SDAP_AT_GROUP_MEMBER].name,
clean_orig_dn,
opts->group_map[SDAP_OC_GROUP].name,
@@ -1550,6 +1554,28 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
ret = ENOMEM;
goto done;
}
+
+ if (use_id_mapping) {
+ /* When mapping IDs or looking for SIDs, we don't want to limit
+ * ourselves to groups with a GID value. But there must be a SID to map
+ * from.
+ */
+ state->base_filter = talloc_asprintf_append(state->base_filter,
+ "(%s=*))",
+ opts->group_map[SDAP_AT_GROUP_OBJECTSID].name);
+ } else {
+ /* When not ID-mapping, make sure there is a non-NULL UID */
+ state->base_filter = talloc_asprintf_append(state->base_filter,
+ "(&(%s=*)(!(%s=0))))",
+ opts->group_map[SDAP_AT_GROUP_GID].name,
+ opts->group_map[SDAP_AT_GROUP_GID].name);
+ }
+ if (!state->base_filter) {
+ talloc_zfree(req);
+ return NULL;
+ }
+
+
talloc_zfree(clean_orig_dn);
ret = sdap_initgr_rfc2307bis_next_base(req);
@@ -2551,7 +2577,7 @@ struct sdap_get_initgr_state {
const char *name;
const char **grp_attrs;
const char **user_attrs;
- const char *user_base_filter;
+ char *user_base_filter;
char *filter;
int timeout;
@@ -2580,6 +2606,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
struct sdap_get_initgr_state *state;
int ret;
char *clean_name;
+ bool use_id_mapping;
DEBUG(9, ("Retrieving info for initgroups call\n"));
@@ -2606,6 +2633,10 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
goto done;
}
+ use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(
+ id_ctx->opts->idmap_ctx,
+ sdom->dom->domain_id);
+
ret = sss_filter_sanitize(state, name, &clean_name);
if (ret != EOK) {
talloc_zfree(req);
@@ -2613,7 +2644,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
}
state->user_base_filter =
- talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
state->opts->user_map[SDAP_AT_USER_NAME].name,
clean_name,
state->opts->user_map[SDAP_OC_USER].name);
@@ -2622,6 +2653,26 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
return NULL;
}
+ if (use_id_mapping) {
+ /* When mapping IDs or looking for SIDs, we don't want to limit
+ * ourselves to users with a UID value. But there must be a SID to map
+ * from.
+ */
+ state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
+ "(%s=*))",
+ id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name);
+ } else {
+ /* When not ID-mapping, make sure there is a non-NULL UID */
+ state->user_base_filter = talloc_asprintf_append(state->user_base_filter,
+ "(&(%s=*)(!(%s=0))))",
+ id_ctx->opts->user_map[SDAP_AT_USER_UID].name,
+ id_ctx->opts->user_map[SDAP_AT_USER_UID].name);
+ }
+ if (!state->user_base_filter) {
+ talloc_zfree(req);
+ return NULL;
+ }
+
ret = build_attrs_from_map(state, state->opts->user_map, SDAP_OPTS_USER,
NULL, &state->user_attrs, NULL);
if (ret) {