diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-25 18:33:11 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-09-27 15:52:13 +0200 |
commit | d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b (patch) | |
tree | 02e9af84a72e6a1f32d1a35b1c567935e3415ce4 /src | |
parent | e2f37d4488c45921e87f07d8a911ac7dd5b94f53 (diff) | |
download | sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.tar.gz sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.tar.bz2 sssd-d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b.zip |
LDAP: Require ID numbers when ID mapping is off
Related: https://fedorahosted.org/sssd/ticket/2070
When searching for users and groups without the use of ID mapping, make
sure the UIDs and GIDs are included in the search. This will make the
SSSD seemigly "miss" entries when searching in Global Catalog in the
scenario where the POSIX attributes are not replicated to the GC.
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ldap/ldap_id.c | 25 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 59 |
2 files changed, 77 insertions, 7 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 5fd05ebb..162d987b 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -169,9 +169,28 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, goto fail; } - state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", - attr_name, clean_name, - ctx->opts->user_map[SDAP_OC_USER].name); + if (use_id_mapping || filter_type == BE_FILTER_SECID) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + talloc_zfree(clean_name); if (!state->filter) { DEBUG(2, ("Failed to build the base filter\n")); diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index e645067b..157cf744 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -1442,7 +1442,7 @@ struct sdap_initgr_rfc2307bis_state { struct sss_domain_info *dom; struct sdap_handle *sh; const char *name; - const char *base_filter; + char *base_filter; char *filter; const char **attrs; const char *orig_dn; @@ -1493,6 +1493,7 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( struct sdap_initgr_rfc2307bis_state *state; const char **attr_filter; char *clean_orig_dn; + bool use_id_mapping; req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307bis_state); if (!req) return NULL; @@ -1540,8 +1541,11 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( ret = sss_filter_sanitize(state, orig_dn, &clean_orig_dn); if (ret != EOK) goto done; + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, + dom->domain_id); + state->base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))", + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)", opts->group_map[SDAP_AT_GROUP_MEMBER].name, clean_orig_dn, opts->group_map[SDAP_OC_GROUP].name, @@ -1550,6 +1554,28 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( ret = ENOMEM; goto done; } + + if (use_id_mapping) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to groups with a GID value. But there must be a SID to map + * from. + */ + state->base_filter = talloc_asprintf_append(state->base_filter, + "(%s=*))", + opts->group_map[SDAP_AT_GROUP_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->base_filter = talloc_asprintf_append(state->base_filter, + "(&(%s=*)(!(%s=0))))", + opts->group_map[SDAP_AT_GROUP_GID].name, + opts->group_map[SDAP_AT_GROUP_GID].name); + } + if (!state->base_filter) { + talloc_zfree(req); + return NULL; + } + + talloc_zfree(clean_orig_dn); ret = sdap_initgr_rfc2307bis_next_base(req); @@ -2551,7 +2577,7 @@ struct sdap_get_initgr_state { const char *name; const char **grp_attrs; const char **user_attrs; - const char *user_base_filter; + char *user_base_filter; char *filter; int timeout; @@ -2580,6 +2606,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, struct sdap_get_initgr_state *state; int ret; char *clean_name; + bool use_id_mapping; DEBUG(9, ("Retrieving info for initgroups call\n")); @@ -2606,6 +2633,10 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, goto done; } + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + id_ctx->opts->idmap_ctx, + sdom->dom->domain_id); + ret = sss_filter_sanitize(state, name, &clean_name); if (ret != EOK) { talloc_zfree(req); @@ -2613,7 +2644,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, } state->user_base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", state->opts->user_map[SDAP_AT_USER_NAME].name, clean_name, state->opts->user_map[SDAP_OC_USER].name); @@ -2622,6 +2653,26 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, return NULL; } + if (use_id_mapping) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->user_base_filter = talloc_asprintf_append(state->user_base_filter, + "(%s=*))", + id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->user_base_filter = talloc_asprintf_append(state->user_base_filter, + "(&(%s=*)(!(%s=0))))", + id_ctx->opts->user_map[SDAP_AT_USER_UID].name, + id_ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + if (!state->user_base_filter) { + talloc_zfree(req); + return NULL; + } + ret = build_attrs_from_map(state, state->opts->user_map, SDAP_OPTS_USER, NULL, &state->user_attrs, NULL); if (ret) { |