[sssd] Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication
Stephen Gallagher
sgallagh at fedoraproject.org
Thu Mar 17 15:47:38 UTC 2011
commit f6c362454d26a02e46160e131b29392ba17d604a
Author: Stephen Gallagher <sgallagh at redhat.com>
Date: Thu Mar 17 11:47:25 2011 -0400
Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication
...stence-of-GID-number-and-name-in-group-se.patch | 150 ++++++++++++++++++++
...stence-of-username-uid-and-gid-for-user-e.patch | 55 +++++++
sssd.spec | 10 ++-
3 files changed, 214 insertions(+), 1 deletions(-)
---
diff --git a/0001-Require-existence-of-GID-number-and-name-in-group-se.patch b/0001-Require-existence-of-GID-number-and-name-in-group-se.patch
new file mode 100644
index 0000000..d06bc39
--- /dev/null
+++ b/0001-Require-existence-of-GID-number-and-name-in-group-se.patch
@@ -0,0 +1,150 @@
+From 2c97299c19a71aa41eef3f3155c24347cf392615 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh at redhat.com>
+Date: Fri, 11 Mar 2011 05:06:48 -0500
+Subject: [PATCH 1/2] Require existence of GID number and name in group searches
+
+https://fedorahosted.org/sssd/ticket/824
+---
+ src/providers/ldap/ldap_id.c | 9 ++++++---
+ src/providers/ldap/ldap_id_enum.c | 28 ++++++++++++++++------------
+ src/providers/ldap/sdap_async_accounts.c | 30 ++++++++++++++++++++----------
+ 3 files changed, 42 insertions(+), 25 deletions(-)
+
+diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
+index 9a234280082f7396eda4307e9e4bb4bd63b5615c..776df1ac2d9e983a792fbba0f6773c082898708d 100644
+--- a/src/providers/ldap/ldap_id.c
++++ b/src/providers/ldap/ldap_id.c
+@@ -335,9 +335,12 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx,
+ goto fail;
+ }
+
+- state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
+- attr_name, clean_name,
+- ctx->opts->group_map[SDAP_OC_GROUP].name);
++ state->filter =
++ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
++ attr_name, clean_name,
++ ctx->opts->group_map[SDAP_OC_GROUP].name,
++ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
++ ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
+ if (!state->filter) {
+ DEBUG(2, ("Failed to build filter\n"));
+ ret = ENOMEM;
+diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
+index f47ee9fbe170bae0058a682a3a051df21cfbc0d6..42c2911926602bfc2e3a33a0af837d6e809ee68b 100644
+--- a/src/providers/ldap/ldap_id_enum.c
++++ b/src/providers/ldap/ldap_id_enum.c
+@@ -546,19 +546,23 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx,
+ state->op = op;
+
+ if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) {
+- state->filter = talloc_asprintf(state,
+- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))",
+- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+- ctx->opts->group_map[SDAP_OC_GROUP].name,
+- ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+- ctx->srv_opts->max_group_value,
+- ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
+- ctx->srv_opts->max_group_value);
++ state->filter = talloc_asprintf(
++ state,
++ "(&(objectclass=%s)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
++ ctx->opts->group_map[SDAP_OC_GROUP].name,
++ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
++ ctx->opts->group_map[SDAP_AT_GROUP_GID].name,
++ ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
++ ctx->srv_opts->max_group_value,
++ ctx->opts->group_map[SDAP_AT_GROUP_USN].name,
++ ctx->srv_opts->max_group_value);
+ } else {
+- state->filter = talloc_asprintf(state,
+- "(&(%s=*)(objectclass=%s))",
+- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
+- ctx->opts->group_map[SDAP_OC_GROUP].name);
++ state->filter = talloc_asprintf(
++ state,
++ "(&(objectclass=%s)(%s=*)(%s=*))",
++ ctx->opts->group_map[SDAP_OC_GROUP].name,
++ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name,
++ ctx->opts->group_map[SDAP_AT_GROUP_GID].name);
+ }
+ if (!state->filter) {
+ DEBUG(2, ("Failed to build filter\n"));
+diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c
+index 8e459598674d589c0cdfcece125c183f7c95bb4d..3fedf07da7fbdc9409f5360ba8301158a65014cd 100644
+--- a/src/providers/ldap/sdap_async_accounts.c
++++ b/src/providers/ldap/sdap_async_accounts.c
+@@ -2007,10 +2007,12 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
+ return NULL;
+ }
+
+- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
++ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ opts->group_map[SDAP_AT_GROUP_MEMBER].name,
+ clean_name,
+- opts->group_map[SDAP_OC_GROUP].name);
++ opts->group_map[SDAP_OC_GROUP].name,
++ opts->group_map[SDAP_AT_GROUP_NAME].name,
++ opts->group_map[SDAP_AT_GROUP_GID].name);
+ if (!filter) {
+ talloc_zfree(req);
+ return NULL;
+@@ -2211,8 +2213,10 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx,
+ return NULL;
+ }
+
+- state->filter = talloc_asprintf(state, "(objectclass=%s)",
+- opts->group_map[SDAP_OC_GROUP].name);
++ state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*)(%s=*))",
++ opts->group_map[SDAP_OC_GROUP].name,
++ opts->group_map[SDAP_AT_GROUP_NAME].name,
++ opts->group_map[SDAP_AT_GROUP_GID].name);
+ if (!state->filter) {
+ talloc_zfree(req);
+ return NULL;
+@@ -3103,8 +3107,10 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req)
+ }
+
+ filter = talloc_asprintf(
+- sdap_attrs, "(objectclass=%s)",
+- state->opts->group_map[SDAP_OC_GROUP].name);
++ sdap_attrs, "(&(objectclass=%s)(%s=*)(%s=*))",
++ state->opts->group_map[SDAP_OC_GROUP].name,
++ state->opts->group_map[SDAP_AT_GROUP_NAME].name,
++ state->opts->group_map[SDAP_AT_GROUP_GID].name);
+ if (!filter) {
+ talloc_free(sdap_attrs);
+ return ENOMEM;
+@@ -3435,10 +3441,12 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
+ return NULL;
+ }
+
+- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))",
++ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ opts->group_map[SDAP_AT_GROUP_MEMBER].name,
+ clean_orig_dn,
+- opts->group_map[SDAP_OC_GROUP].name);
++ opts->group_map[SDAP_OC_GROUP].name,
++ opts->group_map[SDAP_AT_GROUP_NAME].name,
++ opts->group_map[SDAP_AT_GROUP_GID].name);
+ if (!filter) {
+ talloc_zfree(req);
+ return NULL;
+@@ -3839,10 +3847,12 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req)
+ }
+
+ filter = talloc_asprintf(
+- tmp_ctx, "(&(%s=%s)(objectclass=%s))",
++ tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))",
+ state->opts->group_map[SDAP_AT_GROUP_MEMBER].name,
+ clean_orig_dn,
+- state->opts->group_map[SDAP_OC_GROUP].name);
++ state->opts->group_map[SDAP_OC_GROUP].name,
++ state->opts->group_map[SDAP_AT_GROUP_NAME].name,
++ state->opts->group_map[SDAP_AT_GROUP_GID].name);
+ if (!filter) {
+ ret = ENOMEM;
+ goto error;
+--
+1.7.4
+
diff --git a/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch b/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch
new file mode 100644
index 0000000..fb0a554
--- /dev/null
+++ b/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch
@@ -0,0 +1,55 @@
+From c6f9fcdbf62d616f9fc89b7695aa48fa4c8ebd80 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh at redhat.com>
+Date: Mon, 14 Mar 2011 09:56:22 -0400
+Subject: [PATCH 2/2] Require existence of username, uid and gid for user enumeration
+
+We will ignore users that do not have these three values.
+---
+ src/providers/ldap/ldap_id_enum.c | 30 ++++++++++++++++++------------
+ 1 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c
+index 42c2911926602bfc2e3a33a0af837d6e809ee68b..6899b87c08b46c3c2b61fcd975ab14a4118cc918 100644
+--- a/src/providers/ldap/ldap_id_enum.c
++++ b/src/providers/ldap/ldap_id_enum.c
+@@ -441,19 +441,25 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx,
+ state->op = op;
+
+ if (ctx->srv_opts && ctx->srv_opts->max_user_value && !purge) {
+- state->filter = talloc_asprintf(state,
+- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))",
+- ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+- ctx->opts->user_map[SDAP_OC_USER].name,
+- ctx->opts->user_map[SDAP_AT_USER_USN].name,
+- ctx->srv_opts->max_user_value,
+- ctx->opts->user_map[SDAP_AT_USER_USN].name,
+- ctx->srv_opts->max_user_value);
++ state->filter = talloc_asprintf(
++ state,
++ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))",
++ ctx->opts->user_map[SDAP_OC_USER].name,
++ ctx->opts->user_map[SDAP_AT_USER_NAME].name,
++ ctx->opts->user_map[SDAP_AT_USER_UID].name,
++ ctx->opts->user_map[SDAP_AT_USER_GID].name,
++ ctx->opts->user_map[SDAP_AT_USER_USN].name,
++ ctx->srv_opts->max_user_value,
++ ctx->opts->user_map[SDAP_AT_USER_USN].name,
++ ctx->srv_opts->max_user_value);
+ } else {
+- state->filter = talloc_asprintf(state,
+- "(&(%s=*)(objectclass=%s))",
+- ctx->opts->user_map[SDAP_AT_USER_NAME].name,
+- ctx->opts->user_map[SDAP_OC_USER].name);
++ state->filter = talloc_asprintf(
++ state,
++ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*))",
++ ctx->opts->user_map[SDAP_OC_USER].name,
++ ctx->opts->user_map[SDAP_AT_USER_NAME].name,
++ ctx->opts->user_map[SDAP_AT_USER_UID].name,
++ ctx->opts->user_map[SDAP_AT_USER_GID].name);
+ }
+ if (!state->filter) {
+ DEBUG(2, ("Failed to build filter\n"));
+--
+1.7.4
+
diff --git a/sssd.spec b/sssd.spec
index 799ddee..9d8c9dd 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -5,7 +5,7 @@
Name: sssd
Version: 1.5.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -14,6 +14,8 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
+Patch0001: 0001-Require-existence-of-GID-number-and-name-in-group-se.patch
+Patch0002: 0002-Require-existence-of-username-uid-and-gid-for-user-e.patch
### Dependencies ###
@@ -110,6 +112,9 @@ use with ldap_default_authtok_type = obfuscated_password.
%prep
%setup -q
+%patch0001 -p1
+%patch0002 -p1
+
%build
autoreconf -ivf
%configure \
@@ -269,6 +274,9 @@ fi
%postun client -p /sbin/ldconfig
%changelog
+* Thu Mar 17 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.3-2
+- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication
+
* Fri Mar 11 2011 Stephen Gallagher <sgallagh at redhat.com> - 1.5.3-1
- New upstream release 1.5.3
- Support for libldb >= 1.0.0
More information about the scm-commits
mailing list