Skip to content

Commit

Permalink
sdap: add naming_context as new member of struct sdap_domain
Browse files Browse the repository at this point in the history 
The naming_context could be a more reliable source than basedn for the
actual base DN because basedn is set very early from the domain name
given in sssd.conf. Although it is recommended to use the fully
qualified DNS domain name here it is not required. As a result basedn
might not reflect the actual based DN of the LDAP server. Also pure LDAP
server (i.e. not AD or FreeIPA) might use different schemes to set the
base DN which will not be based on the DNS domain of the LDAP server.

Resolves: SSSD#5708

Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit a153f13)
  • Loading branch information
@sumit-bose @etrunko
sumit-bose authored and etrunko committed Feb 26, 2024
1 parent fe230b5 commit 25e9a43
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 25 deletions.
6 changes: 4 additions & 2 deletions src/providers/ad/ad_gpo.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2105,8 +2105,10 @@ ad_gpo_connect_done(struct tevent_req *subreq)
goto done;
}

ret = common_parse_search_base(state, sdom->basedn, state->ldb_ctx,
"AD_HOSTS", NULL, &search_bases);
ret = common_parse_search_base(state,
sdom->naming_context == NULL ? sdom->basedn
: sdom->naming_context,
state->ldb_ctx, "AD_HOSTS", NULL, &search_bases);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"Failed to create dedicated search base for host lookups, "
Expand Down
36 changes: 13 additions & 23 deletions src/providers/ldap/sdap.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1257,19 +1257,10 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
struct sdap_domain *sdom)
{
int ret;
char *naming_context = NULL;

if (!sdom->search_bases
|| !sdom->user_search_bases
|| !sdom->group_search_bases
|| !sdom->netgroup_search_bases
|| !sdom->host_search_bases
|| !sdom->sudo_search_bases
|| !sdom->iphost_search_bases
|| !sdom->ipnetwork_search_bases
|| !sdom->autofs_search_bases) {
naming_context = get_naming_context(opts->basic, rootdse);
if (naming_context == NULL) {
if (!sdom->naming_context) {
sdom->naming_context = get_naming_context(sdom, rootdse);
if (sdom->naming_context == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n");

/* This has to be non-fatal, since some servers offer
Expand All @@ -1285,86 +1276,85 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
if (!sdom->search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* Users */
if (!sdom->user_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_USER_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* Groups */
if (!sdom->group_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_GROUP_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* Netgroups */
if (!sdom->netgroup_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_NETGROUP_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* Hosts */
if (!sdom->host_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_HOST_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* Sudo */
if (!sdom->sudo_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SUDO_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* Services */
if (!sdom->service_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_SERVICE_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* autofs */
if (!sdom->autofs_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_AUTOFS_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* IP host */
if (!sdom->iphost_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_IPHOST_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

/* IP network */
if (!sdom->ipnetwork_search_bases) {
ret = sdap_set_search_base(opts, sdom,
SDAP_IPNETWORK_SEARCH_BASE,
naming_context);
sdom->naming_context);
if (ret != EOK) goto done;
}

ret = EOK;

done:
talloc_free(naming_context);
return ret;
}

Expand Down
11 changes: 11 additions & 0 deletions src/providers/ldap/sdap.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,17 @@ struct sdap_domain {

char *basedn;

/* The naming_context could be a more reliable source than basedn for the
* actual base DN because basedn is set very early from the domain name
* given in sssd.conf. Although it is recommended to use the fully
* qualified DNS domain name here it is not required. As a result basedn
* might not reflect the actual based DN of the LDAP server. Also pure
* LDAP server (i.e. not AD or FreeIPA) might use different schemes to set
* the base DN which will not be based on the DNS domain of the LDAP
* server. naming_context might be NULL even after connection to an LDAP
* server. */
char *naming_context;

struct sdap_search_base **search_bases;
struct sdap_search_base **user_search_bases;
struct sdap_search_base **group_search_bases;
Expand Down

0 comments on commit 25e9a43

Please sign in to comment.