From f1c5ded4457717cd516b676dfe7a6d315a7ce70b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 27 Jul 2016 10:30:21 +0200
Subject: [PATCH] SYSDB: Check changed virtual attributes before modified
 timestamp

Virtual attributes are computed and not stored therefore
"modifyTimestamp" is not changed for the user. As a result of this,
sssd assumes that entry was not changed and update just entries
in timestamp cache.

Enabling and disabling user in 389ds changes the virtual attribute
nsAccountLock.

Resolves:
https://fedorahosted.org/sssd/ticket/3110
---
 src/db/sysdb_ops.c | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 19d6be03ede1bcec3bc7a4ed777e326460d80591..6a61e84d60ce174f0f65ed8472b123853baf8499 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1101,12 +1101,46 @@ done:
     return ret;
 }
 
+static bool changed_virtual_attribute(struct sysdb_attrs *attrs,
+                                      char **remove_attrs)
+{
+    errno_t ret;
+    const char *value;
+    const char *virtual_attributes[] = { "nsAccountLock", NULL };
+
+    /* check removed virtual attributes */
+    if (remove_attrs != NULL) {
+        for (size_t i = 0; virtual_attributes[i] != NULL; ++i) {
+            if (string_in_list(virtual_attributes[i], remove_attrs, false)) {
+                return true;
+            }
+        }
+    }
+
+    /* check added virtual attributes */
+    if (attrs != NULL) {
+        for (size_t i = 0; virtual_attributes[i] != NULL; ++i) {
+            ret = sysdb_attrs_get_string(attrs, virtual_attributes[i], &value);
+            if (ret == EOK) {
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
+
 static errno_t sysdb_check_and_update_ts_usr(struct sss_domain_info *domain,
                                              const char *grp_name,
                                              struct sysdb_attrs *attrs,
+                                             char **remove_attrs,
                                              uint64_t cache_timeout,
                                              time_t now)
 {
+    if (changed_virtual_attribute(attrs, remove_attrs)) {
+        return EEXIST;
+    }
+
     return sysdb_check_and_update_ts_obj(domain, SYSDB_USER, grp_name,
                                          attrs, cache_timeout, now);
 }
@@ -2465,7 +2499,7 @@ int sysdb_store_user(struct sss_domain_info *domain,
     errno_t sret = EOK;
     bool in_transaction = false;
 
-    ret = sysdb_check_and_update_ts_usr(domain, name, attrs,
+    ret = sysdb_check_and_update_ts_usr(domain, name, attrs, remove_attrs,
                                         cache_timeout, now);
     if (ret == EOK) {
         DEBUG(SSSDBG_TRACE_LIBS,
-- 
2.7.4