rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1dedfbb334
sssd/0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch

86 lines
3.6 KiB
Diff
Raw Normal View History

Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout Resolves: upstream#3588 - sssd_nss consumes more memory until restarted or machine swaps Resolves: failure in glibc tests https://sourceware.org/bugzilla/show_bug.cgi?id=22530 Resolves: upstream#3451 - When sssd is configured with id_provider proxy and auth_provider ldap, login fails if the LDAP server is not allowing anonymous binds Resolves: upstream#3285 - SSSD needs restart after incorrect clock is corrected with AD Resolves: upstream#3586 - Give a more detailed debug and system-log message if krb5_init_context() failed Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet in /etc/systemd/system Backport few upstream features from 1.16.1
2017-12-04 20:33:29 +00:00
From 97becd502f5d8aa74b94eee78a949825222b6933 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:45:45 +0100
Subject: [PATCH 74/79] ipa: compare DNs instead of group names in
ipa_s2n_save_objects()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If group names are used to compare the current list of group memberships
returned by the server with the one from the cache some groups might end
up in the wrong result list if group names are overridden. This
ambiguity can be resolved by using the DNs of the cached objects.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 31 ++++++++++++-------------------
1 file changed, 12 insertions(+), 19 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 49c393e9a1eb19ab683949cf633a6838274bc0fe..8b97f78620f19b0708e8a480cb72fd7f12d96dfb 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2185,10 +2185,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct ldb_result *res;
enum sysdb_member_type type;
char **sysdb_grouplist;
- char **add_groups;
char **add_groups_dns;
- char **del_groups;
char **del_groups_dns;
+ char **groups_dns;
bool in_transaction = false;
int tret;
struct sysdb_attrs *gid_override_attrs = NULL;
@@ -2514,33 +2513,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
}
if (attrs->response_type == RESP_USER_GROUPLIST) {
- ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
- &sysdb_grouplist);
+ ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name,
+ &sysdb_grouplist);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
goto done;
}
- ret = diff_string_lists(tmp_ctx, attrs->groups,
- sysdb_grouplist, &add_groups,
- &del_groups, NULL);
+ ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
+ goto done;
+ }
+
+ ret = diff_string_lists(tmp_ctx, groups_dns,
+ sysdb_grouplist, &add_groups_dns,
+ &del_groups_dns, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
goto done;
}
- ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
- goto done;
- }
-
- ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
- goto done;
- }
-
DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
name);
ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
--
2.15.1
Reference in New Issue Copy Permalink