diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2012-04-21 10:33:15 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-05-03 14:09:14 -0400 |
| commit | 1a79825cfbbd26ef12ad085487247e5adf4d657d (patch) | |
| tree | 8a8c62bf6f065484029524dc9a0deb8f3263a02d /src | |
| parent | 45f75fc8e98092fa48faa3d180fd42f7efd51486 (diff) | |
| download | sssd-1a79825cfbbd26ef12ad085487247e5adf4d657d.tar.gz sssd-1a79825cfbbd26ef12ad085487247e5adf4d657d.tar.bz2 sssd-1a79825cfbbd26ef12ad085487247e5adf4d657d.zip | |
LDAP: Allow automatically-provisioning a domain and range
If we get a user who is a member of a domain we haven't seen
before, add a domain entry (auto-assigning its slice).
Since we don't know the domain's real name, we'll just save the
domain SID string as the name as well.
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/ldap/sdap_async_users.c | 46 |
1 files changed, 43 insertions, 3 deletions
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c index 5f8875a5..9aa09da9 100644 --- a/src/providers/ldap/sdap_async_users.c +++ b/src/providers/ldap/sdap_async_users.c @@ -58,6 +58,7 @@ int sdap_save_user(TALLOC_CTX *memctx, bool use_id_mapping = dp_opt_get_bool(opts->basic, SDAP_ID_MAPPING); struct dom_sid *dom_sid; char *sid_str; + char *dom_sid_str; enum idmap_error_code err; DEBUG(9, ("Save user\n")); @@ -117,6 +118,9 @@ int sdap_save_user(TALLOC_CTX *memctx, /* Retrieve or map the UID as appropriate */ if (use_id_mapping) { + DEBUG(SSSDBG_TRACE_LIBS, + ("Mapping user [%s] objectSID to unix ID\n", name)); + ret = sysdb_attrs_get_el(attrs, opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, &el); @@ -145,13 +149,49 @@ int sdap_save_user(TALLOC_CTX *memctx, if (ret != EOK) goto fail; /* Convert the SID into a UNIX user ID */ - err = sss_idmap_sid_to_unix( - opts->idmap_ctx->map, + err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, sid_str, (uint32_t *)&uid); - if (err != IDMAP_SUCCESS) { + if (err != IDMAP_SUCCESS && err != IDMAP_NO_DOMAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert objectSID [%s] to a UNIX ID\n", + sid_str)); ret = EIO; goto fail; + } else if (err == IDMAP_NO_DOMAIN) { + /* This is the first time we've seen this domain + * Create a new domain for it. We'll use the dom-sid + * as the domain name for now, since we don't have + * any way to get the real name. + */ + ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str, + &dom_sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not parse domain SID from [%s]\n", sid_str)); + goto fail; + } + + ret = sdap_idmap_add_domain(opts->idmap_ctx, + dom_sid_str, dom_sid_str, + -1); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not add new domain for sid [%s]\n", sid_str)); + goto fail; + } + + /* Now try converting to a UNIX ID again */ + err = sss_idmap_sid_to_unix(opts->idmap_ctx->map, + sid_str, + (uint32_t *)&uid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert objectSID [%s] to a UNIX ID\n", + sid_str)); + ret = EIO; + goto fail; + } } } else { |