caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose IPA Identity Backend Module for sub-domains - evaluate external group
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose Sumit Bose <sbose@redhat.com>
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose Copyright (C) 2013 Red Hat
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose This program is free software; you can redistribute it and/or modify
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose it under the terms of the GNU General Public License as published by
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose the Free Software Foundation; either version 3 of the License, or
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose (at your option) any later version.
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose This program is distributed in the hope that it will be useful,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose but WITHOUT ANY WARRANTY; without even the implied warranty of
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose GNU General Public License for more details.
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose You should have received a copy of the GNU General Public License
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose along with this program. If not, see <http://www.gnu.org/licenses/>.
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose#define IPA_EXT_GROUPS_FILTER "objectClass=ipaexternalgroup"
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic errno_t process_ext_groups(TALLOC_CTX *mem_ctx, size_t reply_count,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sss_hash_create(mem_ctx, reply_count, &ext_group_hash);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose for (g = 0; g < reply_count; g++) {
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sysdb_attrs_get_string_array(reply[g], "ipaExternalMember",
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* no external members, try next external group. */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "sysdb_attrs_get_string_array failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sysdb_attrs_get_string_array(reply[g], "memberOf",
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* no IPA groups, try next external group. */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "sysdb_attrs_get_string_array failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* hash_lookup does not modify key.str. */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Unexpected value type.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* hash_enter does not modify m_key.str. */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "Adding group [%s] to SID [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sss_hash_create(ext_group_hash, 5, &m_hash);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Adding SID [%s] to external group hash.\n", key.str);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* hash_enter does not modify m_key.str. */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "Adding group [%s] to SID [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic errno_t find_ipa_ext_memberships(TALLOC_CTX *mem_ctx,
b3292840ebaa747a9fd596ff47cc5d18198361d0Michal Zidek ret = sysdb_initgroups(tmp_ctx, user_dom, user_name, &result);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sysdb_initgroups failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "User [%s] not found in cache.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* The IPA external domains can have references to group and user SIDs.
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose * This means that we not only want to look up the group SIDs but the SID
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose * of the user (first element of result) as well. */
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose sid = ldb_msg_find_attr_as_string(result->msgs[c], SYSDB_SID_STR,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Group [%s] does not have a SID.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov ldb_dn_get_linearized(result->msgs[c]->dn));
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "SID [%s] not found in ext group hash.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = hash_enter(group_hash, &entry->key, &entry->value);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Failed to add group [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed for SID [%s].\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "No external groupmemberships found.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose groups = talloc_zero_array(mem_ctx, char *, g_count + 1);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose groups[c] = talloc_strdup(groups, entry->key.str);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose user_dn = ldb_dn_copy(mem_ctx, result->msgs[0]->dn);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
59db26782d052ddbec633279d08e8627ca57fd41Fabiano Fidêncio ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, groups[c],
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose/* TODO? Do we have to remove members as well? I think not because the AD
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose * query before removes all memberships. */
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sysdb_mod_group_member failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* mark group as already processed */
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic struct tevent_req *ipa_add_ad_memberships_send(TALLOC_CTX *mem_ctx,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_done(struct tevent_req *subreq);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_get_ext_groups_done(struct tevent_req *subreq);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic errno_t ipa_add_ext_groups_step(struct tevent_req *req);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic errno_t ipa_add_ad_memberships_recv(struct tevent_req *req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestruct tevent_req *ipa_get_ad_memberships_send(TALLOC_CTX *mem_ctx,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose const char *domain)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose req = tevent_req_create(mem_ctx, &state, struct get_ad_membership_state);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
63748c69a2c6785d949c82f94749704e0408e5a7Sumit Bose if (((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
63748c69a2c6785d949c82f94749704e0408e5a7Sumit Bose && (ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_USER)
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Unsupported request type.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose state->user_name = talloc_strdup(state, ar->filter_value);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "talloc_Strdup failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose server_mode->ext_groups = talloc_zero(server_mode,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose if (server_mode->ext_groups->next_update > time(NULL)) {
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "External group information still valid.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ext_groups_step failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n",
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose tevent_req_set_callback(subreq, ipa_get_ad_memberships_connect_done, req);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct tevent_req *req = tevent_req_callback_data(subreq,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct get_ad_membership_state *state = tevent_req_data(req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sdap_id_op_connect_recv(subreq, &state->dp_error);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "No IPA server is available, going offline\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Failed to connect to IPA server: [%d](%s)\n",
337dd8a87cd774ac20d15c16ec3d9a6c4d2defc7Jakub Hrozek subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts,
337dd8a87cd774ac20d15c16ec3d9a6c4d2defc7Jakub Hrozek state->sdap_id_ctx->opts->sdom->group_search_bases,
337dd8a87cd774ac20d15c16ec3d9a6c4d2defc7Jakub Hrozek dp_opt_get_int(state->sdap_id_ctx->opts->basic,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose tevent_req_set_callback(subreq, ipa_get_ext_groups_done, req);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_get_ext_groups_done(struct tevent_req *subreq)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct tevent_req *req = tevent_req_callback_data(subreq,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct get_ad_membership_state *state = tevent_req_data(req,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n",
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = process_ext_groups(state->server_mode->ext_groups,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose state->reply_count, state->reply, &ext_group_hash);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose state->server_mode->ext_groups->ext_groups = ext_group_hash;
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose /* Do we have to make the update timeout configurable? */
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose state->server_mode->ext_groups->next_update = time(NULL) + 10;
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ext_groups_step failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic errno_t ipa_add_ext_groups_step(struct tevent_req *req)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct get_ad_membership_state *state = tevent_req_data(req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = find_ipa_ext_memberships(state, state->user_name, state->user_dom,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "find_ipa_ext_memberships failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "No external groups memberships found.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose subreq = ipa_add_ad_memberships_send(state, state->ev, state->sdap_id_ctx,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ad_memberships_send failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose tevent_req_set_callback(subreq, ipa_add_ad_memberships_done, req);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_done(struct tevent_req *subreq)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct tevent_req *req = tevent_req_callback_data(subreq,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct get_ad_membership_state *state = tevent_req_data(req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = ipa_add_ad_memberships_recv(subreq, &state->dp_error);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ad_memberships request failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Boseerrno_t ipa_get_ad_memberships_recv(struct tevent_req *req, int *dp_error_out)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct get_ad_membership_state *state = tevent_req_data(req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_connect_done(struct tevent_req *subreq);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_get_next(struct tevent_req *req);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_get_group_done(struct tevent_req *subreq);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic struct tevent_req *ipa_add_ad_memberships_send(TALLOC_CTX *mem_ctx,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose req = tevent_req_create(mem_ctx, &state, struct add_ad_membership_state);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose state->group_sdom = sdap_domain_get(sdap_id_ctx->opts, group_dom);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = add_ad_user_to_cached_groups(user_dn, user_dom, group_dom, groups,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "add_ad_user_to_cached_groups failed.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "All groups found in cache.\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n",
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose tevent_req_set_callback(subreq, ipa_add_ad_memberships_connect_done, req);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_connect_done(struct tevent_req *subreq)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct tevent_req *req = tevent_req_callback_data(subreq,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct add_ad_membership_state *state = tevent_req_data(req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = sdap_id_op_connect_recv(subreq, &state->dp_error);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "No IPA server is available, going offline\n");
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Failed to connect to IPA server: [%d](%s)\n",
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_get_next(struct tevent_req *req)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct add_ad_membership_state *state = tevent_req_data(req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = add_ad_user_to_cached_groups(state->user_dn, state->user_dom,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "add_ad_user_to_cached_groups failed.\n");
b07a3b729892d2bc2ffa73d93de95e19003cc6c8Pavel Reichl DEBUG(SSSDBG_CRIT_FAILURE, "There are unresolved external group "
b07a3b729892d2bc2ffa73d93de95e19003cc6c8Pavel Reichl "memberships even after all groups "
b07a3b729892d2bc2ffa73d93de95e19003cc6c8Pavel Reichl "have been looked up on the LDAP "
b07a3b729892d2bc2ffa73d93de95e19003cc6c8Pavel Reichl "server.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose group_dn = ldb_dn_new(state, sysdb_ctx_get_ldb(state->group_dom->sysdb),
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
22eead9590e11c7adab33ec5ab8b46d3c3cb4406Lukas Slebodnik "Invalid group DN [%s].\n", state->groups[state->iter]);
e3d447a682164d1f6490227af2df6864ee7d6e1dSumit Bose tmp_str = sss_create_internal_fqname(state, fq_name,
e3d447a682164d1f6490227af2df6864ee7d6e1dSumit Bose /* keep using val->data if sss_create_internal_fqname() fails */
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose/* TODO: here is would be useful for have a filter type like BE_FILTER_DN to
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose * directly fetch the group with the corresponding DN. */
d81d8d3dc151ebc95cd0e3f3b14c1cdaa48980f1Sumit Bose false, false);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "groups_get_send failed.\n");
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose tevent_req_set_callback(subreq, ipa_add_ad_memberships_get_group_done, req);
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic void ipa_add_ad_memberships_get_group_done(struct tevent_req *subreq)
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct tevent_req *req = tevent_req_callback_data(subreq,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct add_ad_membership_state *state = tevent_req_data(req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose ret = groups_get_recv(subreq, &state->dp_error, NULL);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Failed to read group [%s] from LDAP [%d](%s)\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov state->groups[state->iter], ret, strerror(ret));
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bosestatic errno_t ipa_add_ad_memberships_recv(struct tevent_req *req,
caee9828ee30609e9f433957dbb3d0163390a207Sumit Bose struct add_ad_membership_state *state = tevent_req_data(req,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozeksearch_user_or_group_by_sid_str(TALLOC_CTX *mem_ctx,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek /* In theory SID shouldn't contain any special LDAP characters, but let's
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek * be paranoid
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek ret = sss_filter_sanitize(tmp_ctx, sid_str, &sanitized_sid);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek ret = sysdb_search_user_by_sid_str(tmp_ctx, domain,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek ret = sysdb_search_group_by_sid_str(tmp_ctx, domain,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "Found %s in sysdb\n", sid_str);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "Error looking for %s in sysdb [%d]: %s\n",
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek ret = search_user_or_group_by_sid_str(tmp_ctx, member_dom, ext_member,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "Error looking up sid %s: [%d]: %s\n",
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek ret = sysdb_msg2attrs(tmp_ctx, 1, &msg, &members);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "Could not convert result to sysdb_attrs [%d]: %s\n",
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek /* Return the member both expired and valid */
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek expire = ldb_msg_find_attr_as_uint64(msg, SYSDB_CACHE_EXPIRE, 0);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "%s is expired", ext_member);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek/* For the IPA external member resolution, we expect a SID as the input.
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek * The _recv() function output is the member and a type (user/group)
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek * since nothing else can be a group member.
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozekstatic void ipa_ext_group_member_done(struct tevent_req *subreq);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozekstruct tevent_req *ipa_ext_group_member_send(TALLOC_CTX *mem_ctx,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek req = tevent_req_create(mem_ctx, &state, struct ipa_ext_member_state);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek ipa_ctx = talloc_get_type(pvt, struct ipa_id_ctx);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "Wrong private context!\n");
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek state->dom = find_domain_by_sid(ipa_ctx->sdap_id_ctx->be->domain,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "Cannot find domain of SID [%s]\n", ext_member);
b4456f3944e7d02f2976ac77f74aa379a7b06032Lukas Slebodnik ret = ipa_ext_group_member_check(state, state->dom, ext_member,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "external member %s already cached\n", ext_member);
3d29430867cf92b2d71afa95abb679711231117cPavel Březina ret = get_dp_id_data_for_sid(state, ext_member, state->dom->name, &ar);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "Cannot create the account request for [%s]\n", ext_member);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina subreq = dp_req_send(state, ipa_ctx->sdap_id_ctx->be->provider, NULL,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek tevent_req_set_callback(subreq, ipa_ext_group_member_done, req);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozekstatic void ipa_ext_group_member_done(struct tevent_req *subreq)
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek struct ipa_ext_member_state *state = tevent_req_data(req,
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina ret = dp_req_recv_ptr(state, subreq, struct dp_reply_std, &reply);
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "dp_req_recv failed\n");
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina "Cannot refresh data from DP: %u,%u: %s\n",
dea636af4d1902a081ee891f1b19ee2f8729d759Pavel Březina reply->dp_error, reply->error, reply->message);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek DEBUG(ret == ENOENT ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "Could not find %s in sysdb [%d]: %s\n",
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek ret = sysdb_msg2attrs(state, 1, &msg, &members);
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek "Could not convert result to sysdb_attrs [%d]: %s\n",
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozekerrno_t ipa_ext_group_member_recv(TALLOC_CTX *mem_ctx,
e2d96566aeb881bd89e5c9236d663f6a9a88019aJakub Hrozek struct ipa_ext_member_state *state = tevent_req_data(req,