[sssd PR#239][opened] HBAC: Use memberof ASQ search instead of originalMemberOf
by jhrozek
URL: https://github.com/SSSD/sssd/pull/239
Author: jhrozek
Title: #239: HBAC: Use memberof ASQ search instead of originalMemberOf
Action: opened
PR body:
"""
This PR should fix the bug we were seeing in the HBAC evaluation of users
from a trusted AD domain where the originalMemberOf didn't match the
memberOf attributes.
Because maintaining the originalMemberOf attributes is fragile, let's
instead dereference the memberOf attribute and look at the names of the groups
this way.
To make sure we only consider IPA groups and not groups from trusted
domains, we construct a base DN of the IPA domain sysdb group container
and pop the RDN from the DN of the object examined and compare the two.
If other developers think it's too much of a hack, we can just search the
IPA domain with a BASE search and the group DN. A BASE search is just a
direct lookup on the LDB level, so it wouldn't be too slow either.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/239/head:pr239
git checkout pr239
7 years
AD Trust code question - s2n exop parsing of double-qualified name
by Justin Stephenson
Hello,
I was working on a fix for BZ # 1433835(IPA clients fails to retrieve
groups with @-sign in the group name in an IPA-AD trust setup) where the
patch at the end of this email seems to work well parsing a
double-qualified object properly a group name like 'group@testing@domain'
[ipa_s2n_get_user_done] (0x0400): Received [4] groups in group list from
IPA Server
[ipa_s2n_get_user_done] (0x0400): [trustuser1(a)ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [customgroup@testing(a)ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [trustgroup(a)ad.jstephen].
[ipa_s2n_get_user_done] (0x0400): [domain users(a)ad.jstephen].
However, there is a subsequent group lookup extended operation which
fails on the IPA server when the NSS responder is unable to parse the
double-qualified name.
- Client
[ipa_s2n_get_list_step] (0x0400): Sending request_type:
[REQ_FULL_WITH_MEMBERS] for group [customgroup@testing(a)ad.jstephen].
[ipa_s2n_exop_send] (0x0400): Executing extended operation
[ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
object(32), (null).
[ipa_s2n_get_list_next] (0x0040): s2n exop request failed.
[ipa_s2n_get_list_done] (0x0040): s2n get_fqlist request failed.
- Server
[nss_getby_name] (0x0400): Input name: customgroup@testing
[cache_req_set_plugin] (0x2000): CR #16: Setting "Group by name" plugin
[cache_req_send] (0x0400): CR #16: New request 'Group by name'
[cache_req_process_input] (0x0400): CR #16: Parsing input name
[customgroup@testing]
[sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_parse_inp_send] (0x0200): Requesting info for [(null)] from [testing]
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_dp_get_domains_send] (0x0400): Last call was too recent, nothing to do!
[sss_domain_get_state] (0x1000): Domain idm.jstephen is Active
[sss_domain_get_state] (0x1000): Domain AD.JSTEPHEN is Active
[sss_parse_inp_done] (0x0040): Unknown domain in [customgroup@testing]
[nss_protocol_done] (0x4000): Sending reply: error [1432158243]: Domain
not found
I suspect the input to the NSS responder received here is output from
the extdom plugin parsing the domain and object name.
I was looking for some advice on the best way to fix this, or if my
patch is doing things horribly wrong then just let me know please :)
----------------------------
diff --git a/src/providers/ipa/ipa_s2n_exop.c
b/src/providers/ipa/ipa_s2n_exop.c
index 2173db3..8bdc3f4 100644
--- a/src/providers/ipa/ipa_s2n_exop.c
+++ b/src/providers/ipa/ipa_s2n_exop.c
@@ -550,6 +550,68 @@ static errno_t get_extra_attrs(BerElement *ber,
struct resp_attrs *resp_attrs)
return EOK;
}
+static errno_t ipa_s2n_parse_name(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *dom,
+ char *fq_name,
+ char **_domain,
+ char **_name)
+{
+ char *parsed_domain = NULL;
+ char *parsed_name = NULL;
+ char *mid_name = NULL;
+ char *real_domain = NULL;
+ char *real_name = NULL;
+ int ret;
+ TALLOC_CTX *tmp_ctx;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+ return ENOMEM;
+ }
+
+ ret = sss_parse_name(mem_ctx, dom->names, fq_name,
+ &parsed_domain, &parsed_name);
+
+ /* Handle parsing double-qualified object name@something@domain */
+ if ((strchr(parsed_domain, '@')) != NULL) {
+ ret = sss_parse_internal_fqname(mem_ctx, parsed_domain,
+ &mid_name,
+ &real_domain);
+
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot parse internal name [%s]\n", fq_name);
+ ret = ENOMEM;
+ goto done;
+ }
+
+ real_name = talloc_asprintf(tmp_ctx, "%s@%s", parsed_name,
mid_name);
+
+ if (!real_name) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "failed to format double-qualified name.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ if (fq_name != NULL && real_domain != NULL) {
+ parsed_domain = real_domain;
+ parsed_name = real_name;
+ }
+ }
+
+ *_domain = talloc_steal(mem_ctx, parsed_domain);
+ *_name = talloc_steal(mem_ctx, parsed_name);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static errno_t add_v1_user_data(struct sss_domain_info *dom,
BerElement *ber,
struct resp_attrs *attrs)
@@ -628,8 +690,9 @@ static errno_t add_v1_user_data(struct
sss_domain_info *dom,
parent_domain = get_domains_head(dom);
for (c = 0, gc = 0; c < attrs->ngroups; c++) {
- ret = sss_parse_name(attrs, dom->names, list[c],
- &domain, &name);
+ ret = ipa_s2n_parse_name(attrs, dom, list[c],
+ &domain, &name);
+
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot parse member %s\n", list[c]);
@@ -675,7 +738,6 @@ done:
ber_memfree(homedir);
ber_memfree(shell);
ber_memvfree((void **) list);
-
return ret;
}
@@ -712,8 +774,9 @@ static errno_t add_v1_group_data(BerElement *ber,
}
for (c = 0, mc=0; c < attrs->ngroups; c++) {
- ret = sss_parse_name(attrs, dom->names, list[c],
- &domain, &name);
+ ret = ipa_s2n_parse_name(attrs, dom, list[c],
+ &domain, &name);
+
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Cannot parse member %s\n", list[c]);
@@ -1180,8 +1243,10 @@ static errno_t ipa_s2n_get_list_step(struct
tevent_req *req)
switch (state->req_input.type) {
case REQ_INP_NAME:
- ret = sss_parse_name(state, state->dom->names,
state->list[state->list_idx],
- &domain_name, &short_name);
+ ret = ipa_s2n_parse_name(state, state->dom,
+ state->list[state->list_idx],
+ &domain_name, &short_name);
+
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s'
[%d]: %s\n",
state->list[state->list_idx],
Kind regards,
Justin Stephenson
7 years
OK to just push converted docs from fedorahosted wiki to the pagure docs repo?
by Jakub Hrozek
Hi,
would anyone complain if I just push converted content from fedorahosted
to the docs repo w/o review as long as there are no changes OR the
changes are just alingnment of 1.15 design documents with the actual
implementation?
As 1.15 is making its way to downstreams, there are people interested in
what we've accomplished in this release and we should make sure the
changes are documented.
For totally new content, I think we should have at least spot-check the
docs during a review.
7 years
