01409e3d48
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
or machine swaps
Resolves: failure in glibc tests
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
auth_provider ldap, login fails if the LDAP server
is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
in /etc/systemd/system
Backport few upstream features from 1.16.1
(cherry picked from commit 1dedfbb334
)
86 lines
3.6 KiB
Diff
86 lines
3.6 KiB
Diff
From 97becd502f5d8aa74b94eee78a949825222b6933 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Mon, 20 Nov 2017 16:45:45 +0100
|
|
Subject: [PATCH 74/79] ipa: compare DNs instead of group names in
|
|
ipa_s2n_save_objects()
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
If group names are used to compare the current list of group memberships
|
|
returned by the server with the one from the cache some groups might end
|
|
up in the wrong result list if group names are overridden. This
|
|
ambiguity can be resolved by using the DNs of the cached objects.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3579
|
|
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/providers/ipa/ipa_s2n_exop.c | 31 ++++++++++++-------------------
|
|
1 file changed, 12 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
|
|
index 49c393e9a1eb19ab683949cf633a6838274bc0fe..8b97f78620f19b0708e8a480cb72fd7f12d96dfb 100644
|
|
--- a/src/providers/ipa/ipa_s2n_exop.c
|
|
+++ b/src/providers/ipa/ipa_s2n_exop.c
|
|
@@ -2185,10 +2185,9 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
struct ldb_result *res;
|
|
enum sysdb_member_type type;
|
|
char **sysdb_grouplist;
|
|
- char **add_groups;
|
|
char **add_groups_dns;
|
|
- char **del_groups;
|
|
char **del_groups_dns;
|
|
+ char **groups_dns;
|
|
bool in_transaction = false;
|
|
int tret;
|
|
struct sysdb_attrs *gid_override_attrs = NULL;
|
|
@@ -2514,33 +2513,27 @@ static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom,
|
|
}
|
|
|
|
if (attrs->response_type == RESP_USER_GROUPLIST) {
|
|
- ret = get_sysdb_grouplist(tmp_ctx, dom->sysdb, dom, name,
|
|
- &sysdb_grouplist);
|
|
+ ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name,
|
|
+ &sysdb_grouplist);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n");
|
|
goto done;
|
|
}
|
|
|
|
- ret = diff_string_lists(tmp_ctx, attrs->groups,
|
|
- sysdb_grouplist, &add_groups,
|
|
- &del_groups, NULL);
|
|
+ ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = diff_string_lists(tmp_ctx, groups_dns,
|
|
+ sysdb_grouplist, &add_groups_dns,
|
|
+ &del_groups_dns, NULL);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n");
|
|
goto done;
|
|
}
|
|
|
|
- ret = get_groups_dns(tmp_ctx, dom, add_groups, &add_groups_dns);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
|
|
- goto done;
|
|
- }
|
|
-
|
|
- ret = get_groups_dns(tmp_ctx, dom, del_groups, &del_groups_dns);
|
|
- if (ret != EOK) {
|
|
- DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n");
|
|
- goto done;
|
|
- }
|
|
-
|
|
DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n",
|
|
name);
|
|
ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER,
|
|
--
|
|
2.15.1
|
|
|