From 5e60c73cb91d1659755fb5ea829837db68d46163 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 14 Jun 2013 13:09:00 +0200 Subject: Add support for new ipaRangeType attribute Recent versions of FreeIPA support a range type attribute to allow different type of ranges for sub/trusted-domains. If the attribute is available it will be used, if not the right value is determined with the help of the other idrange attributes. Fixes https://fedorahosted.org/sssd/ticket/1961 --- src/providers/ipa/ipa_common.h | 4 ++++ src/providers/ipa/ipa_idmap.c | 5 +---- src/providers/ipa/ipa_subdomains.c | 33 +++++++++++++++++++++++++++++++-- 3 files changed, 36 insertions(+), 6 deletions(-) (limited to 'src/providers/ipa') diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 6dacdc57..8bf2d3e1 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -142,6 +142,10 @@ struct ipa_options { struct ipa_auth_ctx *auth_ctx; }; +#define IPA_RANGE_LOCAL "ipa-local" +#define IPA_RANGE_AD_TRUST "ipa-ad-trust" +#define IPA_RANGE_AD_TRUST_POSIX "ipa-ad-trust-posix" + /* options parsers */ int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, diff --git a/src/providers/ipa/ipa_idmap.c b/src/providers/ipa/ipa_idmap.c index a02724f3..c108ca75 100644 --- a/src/providers/ipa/ipa_idmap.c +++ b/src/providers/ipa/ipa_idmap.c @@ -23,10 +23,7 @@ #include "util/util.h" #include "providers/ldap/sdap_idmap.h" - -#define IPA_RANGE_LOCAL "ipa-local" -#define IPA_RANGE_AD_TRUST "ipa-ad-trust" -#define IPA_RANGE_AD_TRUST_POSIX "ipa-ad-trust-posix" +#include "providers/ipa/ipa_common.h" static void * ipa_idmap_talloc(size_t size, void *pvt) diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 76ea709a..120b9553 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -35,6 +35,7 @@ #define IPA_FLATNAME "ipaNTFlatName" #define IPA_SID "ipaNTSecurityIdentifier" #define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" +#define IPA_RANGE_TYPE "ipaRangeType" #define IPA_BASE_ID "ipaBaseID" #define IPA_ID_RANGE_SIZE "ipaIDRangeSize" @@ -60,7 +61,7 @@ enum ipa_subdomains_req_type { struct ipa_subdomains_req_params { const char *filter; tevent_req_fn cb; - const char *attrs[8]; + const char *attrs[9]; }; struct ipa_subdomains_ctx { @@ -188,6 +189,34 @@ static errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); goto done; } + + ret = sysdb_attrs_get_string(reply[c], IPA_RANGE_TYPE, &value); + if (ret == EOK) { + range_list[c]->range_type = talloc_strdup(range_list[c], value); + if (range_list[c]->range_type == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + } else if (ret == ENOENT) { + /* Older IPA servers might not have the range_type attribute, but + * only support local ranges and trusts with algorithmic mapping. */ + if (range_list[c]->trusted_dom_sid == NULL) { + range_list[c]->range_type = talloc_strdup(range_list[c], + IPA_RANGE_LOCAL); + } else { + range_list[c]->range_type = talloc_strdup(range_list[c], + IPA_RANGE_AD_TRUST); + } + } else { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); + goto done; + } + if (range_list[c]->range_type == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } } range_list[c] = NULL; @@ -377,7 +406,7 @@ static struct ipa_subdomains_req_params subdomain_requests[] = { ipa_subdomains_handler_ranges_done, { OBJECTCLASS, IPA_CN, IPA_BASE_ID, IPA_BASE_RID, IPA_SECONDARY_BASE_RID, - IPA_ID_RANGE_SIZE, IPA_TRUSTED_DOMAIN_SID, NULL + IPA_ID_RANGE_SIZE, IPA_TRUSTED_DOMAIN_SID, IPA_RANGE_TYPE, NULL } } }; -- cgit