diff options
| author | Ondrej Kos <[email protected]> | 2013-09-03 12:27:17 +0200 |
|---|---|---|
| committer | Ondrej Kos <[email protected]> | 2013-09-11 18:03:53 +0200 |
| commit | 3d58b3e8c6f4dca1582634a46f59c5144261609d (patch) | |
| tree | 29bac7d247e719545c7f8a69639eeb12eaf05999 | |
| parent | 52de962038d8b226ee3313a357aab1d859848cca (diff) | |
| download | sssd-token3.tar.gz sssd-token3.tar.xz sssd-token3.zip | |
AD: Enable TokenGroups initgroups lookuptoken3
This is first implementation of getting TokenGroups lookup working.
If all of the group SIDs that are fetched via the users TokenGroups
attribute are in sysdb, the membership is processed this way. If any of
the groups is missing in the cache, it falls back to rfc2307bis
initgroups lookup.
Resolves:
https://fedorahosted.org/sssd/ticket/1568
| -rw-r--r-- | src/providers/ldap/sdap_async.h | 7 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 44 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_initgroups_ad.c | 136 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_private.h | 1 |
4 files changed, 133 insertions, 55 deletions
diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h index af41c719..3b6aaee6 100644 --- a/src/providers/ldap/sdap_async.h +++ b/src/providers/ldap/sdap_async.h @@ -286,10 +286,13 @@ sdap_get_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, struct sdap_handle *sh, const char *name, const char *orig_dn, - int timeout); + int timeout, + bool use_id_mapping); errno_t -sdap_get_ad_tokengroups_initgroups_recv(struct tevent_req *req); +sdap_get_ad_tokengroups_initgroups_recv(struct tevent_req *req, + bool *_lookup_sids, + char ***_group_sid_list); errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, struct sss_domain_info *domain, diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index e3539e91..a926dc72 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2571,6 +2571,7 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, state->name = name; state->grp_attrs = grp_attrs; state->orig_user = NULL; + state->cname = NULL; state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); state->user_base_iter = 0; state->user_search_bases = sdom->user_search_bases; @@ -2665,7 +2666,6 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) int ret; errno_t sret; const char *orig_dn; - const char *cname; bool in_transaction = false; DEBUG(9, ("Receiving info for the user\n")); @@ -2738,7 +2738,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) in_transaction = false; ret = sysdb_get_real_name(state, state->sysdb, - state->dom, state->name, &cname); + state->dom, state->name, &state->cname); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Cannot canonicalize username\n")); tevent_req_error(req, ret); @@ -2751,7 +2751,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) case SDAP_SCHEMA_RFC2307: subreq = sdap_initgr_rfc2307_send(state, state->ev, state->opts, state->sysdb, state->dom, state->sh, - cname); + state->cname); if (!subreq) { tevent_req_error(req, ENOMEM); return; @@ -2769,8 +2769,7 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) return; } - if (state->use_id_mapping - && state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) { + if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) { /* Take advantage of AD's tokenGroups mechanism to look up all * parent groups in a single request. */ @@ -2779,8 +2778,10 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) state->sysdb, state->dom, state->sh, - cname, orig_dn, - state->timeout); + state->cname, + orig_dn, + state->timeout, + state->use_id_mapping); } else if (state->opts->support_matching_rule && dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_INITGROUPS)) { @@ -2792,13 +2793,17 @@ static void sdap_get_initgr_user(struct tevent_req *subreq) state->sysdb, state->dom, state->sh, - cname, orig_dn, + state->cname, + orig_dn, state->timeout); } else { - subreq = sdap_initgr_rfc2307bis_send( - state, state->ev, state->opts, state->sysdb, - state->dom, state->sh, - cname, orig_dn); + subreq = sdap_initgr_rfc2307bis_send(state, state->ev, + state->opts, + state->sysdb, + state->dom, + state->sh, + state->cname, + orig_dn); } if (!subreq) { tevent_req_error(req, ENOMEM); @@ -2852,7 +2857,8 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) char *group_sid_str; struct sdap_options *opts = state->opts; - DEBUG(9, ("Initgroups done\n")); + char **group_sid_list; + bool lookup_sids = false; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { @@ -2867,9 +2873,8 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) case SDAP_SCHEMA_RFC2307BIS: case SDAP_SCHEMA_AD: - if (state->use_id_mapping - && state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) { - ret = sdap_get_ad_tokengroups_initgroups_recv(subreq); + if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2008) { + ret = sdap_get_ad_tokengroups_initgroups_recv(subreq, &lookup_sids, &group_sid_list); } else if (state->opts->support_matching_rule && dp_opt_get_bool(state->opts->basic, @@ -2890,6 +2895,13 @@ static void sdap_get_initgr_done(struct tevent_req *subreq) break; } + if (lookup_sids) { + DEBUG(SSSDBG_TRACE_FUNC, ("Some of users TokenGroups not found in " + "cache, will perform LDAP lookup.\n")); + } + + DEBUG(9, ("Initgroups done\n")); + talloc_zfree(subreq); if (ret) { DEBUG(9, ("Error in initgroups: [%d][%s]\n", diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index e5649a2b..8fc56c0e 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -305,6 +305,9 @@ struct sdap_ad_tokengroups_initgr_state { struct sss_domain_info *domain; struct sdap_handle *sh; const char *username; + bool use_id_mapping; + bool lookup_sids; + char **group_sid_list; }; static void @@ -319,7 +322,8 @@ sdap_get_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, struct sdap_handle *sh, const char *name, const char *orig_dn, - int timeout) + int timeout, + bool use_id_mapping) { struct tevent_req *req; struct tevent_req *subreq; @@ -336,6 +340,9 @@ sdap_get_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, state->domain = domain; state->sh = sh; state->username = name; + state->use_id_mapping = use_id_mapping; + state->lookup_sids = false; + state->group_sid_list = NULL; subreq = sdap_get_generic_send( state, state->ev, state->opts, state->sh, @@ -359,6 +366,7 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) errno_t ret, sret; enum idmap_error_code err; size_t user_count, group_count, i; + size_t sid_count = 0; TALLOC_CTX *tmp_ctx; bool in_transaction = false; char *sid_str; @@ -442,6 +450,14 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) } group_count = 0; + if (!state->use_id_mapping) { + state->group_sid_list = talloc_array(state, char*, el->num_values + 1); + if (!state->group_sid_list) { + ret = ENOMEM; + goto done; + } + } + for (i = 0; i < el->num_values; i++) { /* Get the SID and convert it to a GID */ @@ -464,20 +480,29 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, ("Skipping built-in object.\n")); ret = EOK; continue; - } else if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not convert SID to GID: [%s]. Skipping\n", - strerror(ret))); - continue; } - DEBUG(SSSDBG_TRACE_LIBS, - ("Processing membership GID [%lu]\n", - gid)); + if (state->use_id_mapping) { + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not convert SID to GID: [%s]. Skipping\n", + strerror(ret))); + continue; + } + + DEBUG(SSSDBG_TRACE_LIBS, + ("Processing membership GID [%lu]\n", + gid)); + + /* Check whether this GID already exists in the sysdb */ + ret = sysdb_search_group_by_gid(tmp_ctx, state->sysdb, state->domain, + gid, attrs, &msg); + } else { + ret = sysdb_search_group_by_sid_str(tmp_ctx, state->sysdb, + state->domain, sid_str, attrs, + &msg); + } - /* Check whether this GID already exists in the sysdb */ - ret = sysdb_search_group_by_gid(tmp_ctx, state->sysdb, state->domain, - gid, attrs, &msg); if (ret == EOK) { group_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); if (!group_name) { @@ -486,23 +511,59 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) ret = EINVAL; goto done; } - } else if (ret == ENOENT) { - /* This is a new group. For now, we will store it - * under the name of its SID. When a direct lookup of - * the group or its GID occurs, it will replace this - * temporary entry. - */ - group_name = sid_str; - ret = sysdb_add_incomplete_group(state->sysdb, - state->domain, - group_name, gid, - NULL, sid_str, false, now); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - ("Could not create incomplete group: [%s]\n", - strerror(ret))); + + ldap_grouplist[group_count] = + talloc_strdup(ldap_grouplist, group_name); + if (!ldap_grouplist[group_count]) { + ret = ENOMEM; goto done; } + + group_count++; + + } else if (ret == ENOENT) { + if (state->use_id_mapping) { + /* This is a new group. For now, we will store it + * under the name of its SID. When a direct lookup of + * the group or its GID occurs, it will replace this + * temporary entry. + */ + group_name = sid_str; + ret = sysdb_add_incomplete_group(state->sysdb, + state->domain, + group_name, gid, + NULL, sid_str, false, now); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + ("Could not create incomplete group: [%s]\n", + strerror(ret))); + goto done; + } + + ldap_grouplist[group_count] = + talloc_strdup(ldap_grouplist, group_name); + if (!ldap_grouplist[group_count]) { + ret = ENOMEM; + goto done; + } + + group_count++; + + } else { + DEBUG(SSSDBG_MINOR_FAILURE, ("SID [%s] not found in cache, " + "will be looked up\n", sid_str)); + + state->lookup_sids = true; + + state->group_sid_list[sid_count] = + talloc_strdup(state, sid_str); + if (!state->group_sid_list[sid_count]) { + ret = ENOMEM; + goto done; + } + + sid_count++; + } } else { /* Unexpected error */ DEBUG(SSSDBG_MINOR_FAILURE, @@ -510,17 +571,9 @@ sdap_get_ad_tokengroups_initgroups_lookup_done(struct tevent_req *subreq) strerror(ret))); goto done; } - - ldap_grouplist[group_count] = - talloc_strdup(ldap_grouplist, group_name); - if (!ldap_grouplist[group_count]) { - ret = ENOMEM; - goto done; - } - - group_count++; } ldap_grouplist[group_count] = NULL; + state->group_sid_list[sid_count] = NULL; /* Get the current sysdb group list for this user * so we can update it. @@ -582,8 +635,17 @@ done: } errno_t -sdap_get_ad_tokengroups_initgroups_recv(struct tevent_req *req) +sdap_get_ad_tokengroups_initgroups_recv(struct tevent_req *req, + bool *_lookup_sids, + char ***_group_sid_list) { + struct sdap_ad_tokengroups_initgr_state *state = + tevent_req_data(req, struct sdap_ad_tokengroups_initgr_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_lookup_sids = state->lookup_sids; + *_group_sid_list = state->group_sid_list; + return EOK; } diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h index 4d0b8652..27b8e365 100644 --- a/src/providers/ldap/sdap_async_private.h +++ b/src/providers/ldap/sdap_async_private.h @@ -44,6 +44,7 @@ struct sdap_get_initgr_state { struct sdap_id_ctx *id_ctx; struct sdap_id_conn_ctx *conn; const char *name; + const char *cname; const char **grp_attrs; const char **user_attrs; const char *user_base_filter; |