From d3e1d88ce7de3216a862b9fe78dc5aa94dcbc14b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 25 Sep 2013 18:33:11 +0200 Subject: LDAP: Require ID numbers when ID mapping is off Related: https://fedorahosted.org/sssd/ticket/2070 When searching for users and groups without the use of ID mapping, make sure the UIDs and GIDs are included in the search. This will make the SSSD seemigly "miss" entries when searching in Global Catalog in the scenario where the POSIX attributes are not replicated to the GC. --- src/providers/ldap/ldap_id.c | 25 +++++++++++-- src/providers/ldap/sdap_async_initgroups.c | 59 ++++++++++++++++++++++++++++-- 2 files changed, 77 insertions(+), 7 deletions(-) diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 5fd05ebb..162d987b 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -169,9 +169,28 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, goto fail; } - state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", - attr_name, clean_name, - ctx->opts->user_map[SDAP_OC_USER].name); + if (use_id_mapping || filter_type == BE_FILTER_SECID) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))", + attr_name, clean_name, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + talloc_zfree(clean_name); if (!state->filter) { DEBUG(2, ("Failed to build the base filter\n")); diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index e645067b..157cf744 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -1442,7 +1442,7 @@ struct sdap_initgr_rfc2307bis_state { struct sss_domain_info *dom; struct sdap_handle *sh; const char *name; - const char *base_filter; + char *base_filter; char *filter; const char **attrs; const char *orig_dn; @@ -1493,6 +1493,7 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( struct sdap_initgr_rfc2307bis_state *state; const char **attr_filter; char *clean_orig_dn; + bool use_id_mapping; req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307bis_state); if (!req) return NULL; @@ -1540,8 +1541,11 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( ret = sss_filter_sanitize(state, orig_dn, &clean_orig_dn); if (ret != EOK) goto done; + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, + dom->domain_id); + state->base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*))", + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)", opts->group_map[SDAP_AT_GROUP_MEMBER].name, clean_orig_dn, opts->group_map[SDAP_OC_GROUP].name, @@ -1550,6 +1554,28 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( ret = ENOMEM; goto done; } + + if (use_id_mapping) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to groups with a GID value. But there must be a SID to map + * from. + */ + state->base_filter = talloc_asprintf_append(state->base_filter, + "(%s=*))", + opts->group_map[SDAP_AT_GROUP_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->base_filter = talloc_asprintf_append(state->base_filter, + "(&(%s=*)(!(%s=0))))", + opts->group_map[SDAP_AT_GROUP_GID].name, + opts->group_map[SDAP_AT_GROUP_GID].name); + } + if (!state->base_filter) { + talloc_zfree(req); + return NULL; + } + + talloc_zfree(clean_orig_dn); ret = sdap_initgr_rfc2307bis_next_base(req); @@ -2551,7 +2577,7 @@ struct sdap_get_initgr_state { const char *name; const char **grp_attrs; const char **user_attrs; - const char *user_base_filter; + char *user_base_filter; char *filter; int timeout; @@ -2580,6 +2606,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, struct sdap_get_initgr_state *state; int ret; char *clean_name; + bool use_id_mapping; DEBUG(9, ("Retrieving info for initgroups call\n")); @@ -2606,6 +2633,10 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, goto done; } + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + id_ctx->opts->idmap_ctx, + sdom->dom->domain_id); + ret = sss_filter_sanitize(state, name, &clean_name); if (ret != EOK) { talloc_zfree(req); @@ -2613,7 +2644,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, } state->user_base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", state->opts->user_map[SDAP_AT_USER_NAME].name, clean_name, state->opts->user_map[SDAP_OC_USER].name); @@ -2622,6 +2653,26 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, return NULL; } + if (use_id_mapping) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->user_base_filter = talloc_asprintf_append(state->user_base_filter, + "(%s=*))", + id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping, make sure there is a non-NULL UID */ + state->user_base_filter = talloc_asprintf_append(state->user_base_filter, + "(&(%s=*)(!(%s=0))))", + id_ctx->opts->user_map[SDAP_AT_USER_UID].name, + id_ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + if (!state->user_base_filter) { + talloc_zfree(req); + return NULL; + } + ret = build_attrs_from_map(state, state->opts->user_map, SDAP_OPTS_USER, NULL, &state->user_attrs, NULL); if (ret) { -- cgit