Commit a2e743c SDAP: Properly handle group id-collision when renaming incomplete groups

4 files Authored and Committed by fidencio a month ago
SDAP: Properly handle group id-collision when renaming incomplete groups

Resolves:
https://pagure.io/SSSD/sssd/issue/2653

Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

    
 1 @@ -434,6 +434,7 @@
 2       const char *err;
 3       int dp_error;
 4       int sdap_ret;
 5 +     struct sdap_options *opts;
 6   
 7       size_t num_missing_sids;
 8       char **missing_sids;
 9 @@ -471,6 +472,7 @@
10           return NULL;
11       }
12       state->user_dom = sdom->dom;
13 +     state->opts = id_ctx->opts;
14   
15       /* The following variables are currently unused because no sub-request
16        * returns any of them. But they are needed to allow the same signature as
17 @@ -514,6 +516,7 @@
18           DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n");
19   
20           ret = sdap_ad_save_group_membership_with_idmapping(state->username,
21 +                                                         state->opts,
22                                                           sdom->dom,
23                                                           id_ctx->opts->idmap_ctx,
24                                                           num_sids, group_sids);
1 @@ -25,6 +25,7 @@
2   #define SDAP_ASYNC_AD_H_
3   
4   errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
5 +                                                struct sdap_options *opts,
6                                                  struct sss_domain_info *user_dom,
7                                                  struct sdap_idmap_ctx *idmap_ctx,
8                                                  size_t num_sids,
 1 @@ -225,6 +225,19 @@
 2                   ret = sysdb_add_incomplete_group(domain, groupname, gid,
 3                                                    original_dn, sid_str,
 4                                                    uuid, posix, now);
 5 +                 if (ret == ERR_GID_DUPLICATED) {
 6 +                     /* In case o group id-collision, do:
 7 +                      * - Delete the group from sysdb
 8 +                      * - Add the new incomplete group
 9 +                      * - Notify the NSS responder that the entry has also to be
10 +                      *   removed from the memory cache
11 +                      */
12 +                     ret = sdap_handle_id_collision_for_incomplete_groups(
13 +                                             opts->dp, domain, groupname, gid,
14 +                                             original_dn, sid_str, uuid, posix,
15 +                                             now);
16 +                 }
17 + 
18                   if (ret != EOK) {
19                       goto done;
20                   }
 1 @@ -836,6 +836,7 @@
 2   }
 3   
 4   errno_t sdap_ad_save_group_membership_with_idmapping(const char *username,
 5 +                                                struct sdap_options *opts,
 6                                                  struct sss_domain_info *user_dom,
 7                                                  struct sdap_idmap_ctx *idmap_ctx,
 8                                                  size_t num_sids,
 9 @@ -921,6 +922,19 @@
10   
11               ret = sysdb_add_incomplete_group(domain, name, gid,
12                                                NULL, sid, NULL, false, now);
13 +             if (ret == ERR_GID_DUPLICATED) {
14 +                 /* In case o group id-collision, do:
15 +                  * - Delete the group from sysdb
16 +                  * - Add the new incomplete group
17 +                  * - Notify the NSS responder that the entry has also to be
18 +                  *   removed from the memory cache
19 +                  */
20 +                 ret = sdap_handle_id_collision_for_incomplete_groups(
21 +                                             idmap_ctx->id_ctx->be->provider,
22 +                                             domain, name, gid, NULL, sid, NULL,
23 +                                             false, now);
24 +             }
25 + 
26               if (ret != EOK) {
27                   DEBUG(SSSDBG_MINOR_FAILURE, "Could not create incomplete "
28                                                "group: [%s]\n", strerror(ret));
29 @@ -992,6 +1006,7 @@
30       }
31   
32       ret = sdap_ad_save_group_membership_with_idmapping(state->username,
33 +                                                        state->opts,
34                                                          state->domain,
35                                                          state->idmap_ctx,
36                                                          num_sids,