sssd/0074-ipa-compare-DNs-instead-of-group-names-in-ipa_s2n_sa.patch
Lukas Slebodnik 01409e3d48 Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
                          or machine swaps
Resolves: failure in glibc tests
          https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
                          auth_provider ldap, login fails if the LDAP server
                          is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
                          corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
                          if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
                         in /etc/systemd/system
Backport few upstream features from 1.16.1

(cherry picked from commit 1dedfbb334)
2017-12-04 21:53:43 +01:00

86 lines
3.6 KiB
Diff

From 97becd502f5d8aa74b94eee78a949825222b6933 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:45:45 +0100
Subject: [PATCH 74/79] ipa: compare DNs instead of group names in
ipa_s2n_save_objects()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If group names are used to compare the current list of group memberships
returned by the server with the one from the cache some groups might end
up in the wrong result list if group names are overridden. This
ambiguity can be resolved by using the DNs of the cached objects.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 31 ++++++++++++-------------------
1 file changed, 12 insertions(+), 19 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index 49c393e9a1eb19ab683949cf633a6838274bc0fe..8b97f78620f19b0708e8a480cb72fd7f12d96dfb 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2185,10 +2185,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
struct ldb_result *res;
enum sysdb_member_type type;
char **sysdb_grouplist;
- char **add_groups;
char **add_groups_dns;
- char **del_groups;
char **del_groups_dns;
+ char **groups_dns;
bool in_transaction = false;
int tret;
struct sysdb_attrs *gid_override_attrs = NULL;
@@ -2514,33 +2513,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
}
if (attrs->response_type == RESP_USER_GROUPLIST) {
- ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
- &sysdb_grouplist);
+ ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name,
+ &sysdb_grouplist);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
goto done;
}
- ret = diff_string_lists(tmp_ctx, attrs->groups,
- sysdb_grouplist, &add_groups,
- &del_groups, NULL);
+ ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
+ goto done;
+ }
+
+ ret = diff_string_lists(tmp_ctx, groups_dns,
+ sysdb_grouplist, &add_groups_dns,
+ &del_groups_dns, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
goto done;
}
- ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
- goto done;
- }
-
- ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
- goto done;
- }
-
DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
name);
ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
--
2.15.1