On Thu, Sep 26, 2013 at 07:24:03PM +0200, Jakub Hrozek wrote:
> On Thu, Sep 26, 2013 at 11:22:06AM +0200, Sumit Bose wrote:
> > Hi,
> >
> > the first two attached patches should fix
> >
https://fedorahosted.org/sssd/ticket/2093 and make
> >
https://fedorahosted.org/sssd/ticket/2080 invalid. The third fixes wrong
> > return code in one of the functions I touched with in the other patches.
> >
> > bye,
> > Sumit
>
> > + if (!ldb_dn_validate(dn)) {
> > + DEBUG(SSSDBG_OP_FAILURE, ("Original DN [%s] is not a valid
DN.\n",
> > + orig_dn));
> > + ret = EINVAL;
> > + goto done;
> > + }
> > +
> > + if (ldb_dn_get_comp_num(dn) < 5) {
> > + /* we are only interested in the member domain objects */
> > + ret = EOK;
> > + goto done;
> > + }
> > +
> > + val = ldb_dn_get_component_val(dn, 3);
> > + if (strncasecmp("trusts", (const char *) val->data,
val->length) != 0) {
> > + DEBUG(SSSDBG_TRACE_FUNC,
> > + ("4th component is not 'trust', nothing to
do.\n"));
> > + ret = EOK;
> > + goto done;
> > + }
> > +
> > + val = ldb_dn_get_component_val(dn, 2);
> > + if (strncasecmp("ad", (const char *) val->data,
val->length) != 0) {
> > + DEBUG(SSSDBG_TRACE_FUNC,
> > + ("3rd component is not 'ad', nothing to
do.\n"));
> > + ret = EOK;
> > + goto done;
> > + }
> > +
> > + val = ldb_dn_get_component_val(dn, 1);
> > + forest = talloc_strndup(mem_ctx, (const char *) val->data,
val->length);
> > + if (forest == NULL) {
> > + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strndup failed.\n"));
> > + ret = ENOMEM;
> > + goto done;
> > + }
>
> I think there is an off-by-one error here. In my setup, the original DN
> is:
>
> cn=AD.EXAMPLE.COM,cn=ad,cn=trusts,dc=ipatest,dc=example,dc=com
>
> But "val = ldb_dn_get_component_val(dn, 3);" is "ipatest" in my
case, so
> the strcmp never matches. So I think the indexes should say "2, 1, 0".
>
> It would also be nice to print the original DN in a DEBUG message.
ah, sorry, I should have said that Alexander's latest FreeIPA patches
are needed here. They will store the member domains below the forest
root object, e.g.
cn=member.dom,cn=AD.EXAMPLE.COM,cn=ad,cn=trusts,dc=ipatest,dc=example,dc=com
For those domains the patch will set the forest name which in this case
is
AD.EXAMPLE.COM.
bye,
Sumit
Ah, then the code is fine.
ACK.
But is should be noted that I only tested the file is generated and
contains the [capaths] section, not any actual functionality it brings.