rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f55e235d75
sssd/0073-IPA-use-cache-searches-in-get_groups_dns.patch
Lukas Slebodnik 1dedfbb334 Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout 
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
                          or machine swaps
Resolves: failure in glibc tests
          https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
                          auth_provider ldap, login fails if the LDAP server
                          is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
                          corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
                          if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
                         in /etc/systemd/system
Backport few upstream features from 1.16.1
2017-12-04 21:42:37 +01:00

70 lines
3.0 KiB
Diff
Raw Blame History

From d1d62630e1d1c6a88fe4bf8612cb4f9a2fff7181 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Nov 2017 16:41:29 +0100
Subject: [PATCH 73/79] IPA: use cache searches in get_groups_dns()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the group name is overridden in the default view we have to search
for the name and cannot construct it because the extdom plugin will
return the overridden name but the DN of the related group object in the
cache will contain the original name.
Related to https://pagure.io/SSSD/sssd/issue/3579
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/providers/ipa/ipa_s2n_exop.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c
index c6132f509dcc8e7af84e03e8bfe20701107d1392..49c393e9a1eb19ab683949cf633a6838274bc0fe 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -2038,6 +2038,7 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
int c;
struct sss_domain_info *root_domain;
char **dn_list;
+ struct ldb_message *msg;
if (name_list == NULL) {
*_dn_list = NULL;
@@ -2082,15 +2083,25 @@ static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
goto done;
}
- /* This might fail if some unexpected cases are used. But current
- * sysdb code which handles group membership constructs DNs this way
- * as well, IPA names are lowercased and AD names by default will be
- * lowercased as well. If there are really use-cases which cause an
- * issue here, sysdb_group_strdn() has to be replaced by a proper
- * search. */
- dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ /* If the group name is overridden in the default view we have to
+ * search for the name and cannot construct it because the extdom
+ * plugin will return the overridden name but the DN of the related
+ * group object in the cache will contain the original name. */
+
+ ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL,
+ &msg);
+ if (ret == EOK) {
+ dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn);
+ } else {
+ /* best effort, try to construct the DN */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "sysdb_search_group_by_name failed with [%d], "
+ "generating DN for [%s] in domain [%s].\n",
+ ret, name_list[c], dom->name);
+ dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]);
+ }
if (dn_list[c] == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "sysdb_group_strdn failed.\n");
+ DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n");
ret = ENOMEM;
goto done;
}
--
2.15.1
Reference in New Issue View Git Blame Copy Permalink