From f34ea77a5b87e778ece155485c36e756d5137686 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Jan 08 2013 13:42:56 +0000 Subject: Remote groups do not have an original DN attribute Groups from subdomains will not have an attribute holding the original DN because in general it will not be available. This attribute is only used by IPA HABC to improve performance and remote groups cannot be used for access control. --- diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c index 16aad5d..49164ab 100644 --- a/src/responder/pac/pacsrv_cmd.c +++ b/src/responder/pac/pacsrv_cmd.c @@ -320,18 +320,14 @@ static errno_t pac_user_get_grp_info(TALLOC_CTX *mem_ctx, tmp_str = ldb_msg_find_attr_as_string(res->msgs[c + 1], SYSDB_ORIG_DN, NULL); - if (tmp_str == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("Missing original DN.\n")); - ret = EINVAL; - goto done; - } - - current_grp_list[c].orig_dn = talloc_strdup(current_grp_list, - tmp_str); - if (current_grp_list[c].orig_dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); - ret = ENOMEM; - goto done; + if (tmp_str != NULL) { + current_grp_list[c].orig_dn = talloc_strdup(current_grp_list, + tmp_str); + if (current_grp_list[c].orig_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } } current_grp_list[c].dn = ldb_dn_copy(current_grp_list, @@ -523,11 +519,13 @@ pac_save_memberships_delete(struct pac_save_memberships_state *state) goto done; } - ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, - pr_ctx->del_grp_list[c]->orig_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); - goto done; + if (pr_ctx->del_grp_list[c]->orig_dn != NULL) { + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, + pr_ctx->del_grp_list[c]->orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); + goto done; + } } } @@ -692,31 +690,27 @@ pac_store_membership(struct pac_req_ctx *pr_ctx, } orig_group_dn = ldb_msg_find_attr_as_string(group, SYSDB_ORIG_DN, NULL); - if (orig_group_dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("Original DN not found.\n")); - ret = EINVAL; - goto done; - } - - user_attrs = sysdb_new_attrs(tmp_ctx); - if (user_attrs == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_new_attrs failed.\n")); - ret = ENOMEM; - goto done; - } + if (orig_group_dn != NULL) { + user_attrs = sysdb_new_attrs(tmp_ctx); + if (user_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_new_attrs failed.\n")); + ret = ENOMEM; + goto done; + } - ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, - orig_group_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); - goto done; - } + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, + orig_group_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_add_string failed.\n")); + goto done; + } - ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, user_dn, user_attrs, - LDB_FLAG_MOD_ADD); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("sysdb_set_entry_attr failed.\n")); - goto done; + ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, user_dn, user_attrs, + LDB_FLAG_MOD_ADD); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("sysdb_set_entry_attr failed.\n")); + goto done; + } } done: