ipa_subdomains_ext_groups.c revision 22eead9590e11c7adab33ec5ab8b46d3c3cb4406
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce IPA Identity Backend Module for sub-domains - evaluate external group
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce Sumit Bose <sbose@redhat.com>
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce Copyright (C) 2013 Red Hat
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce This program is free software; you can redistribute it and/or modify
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce it under the terms of the GNU General Public License as published by
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce the Free Software Foundation; either version 3 of the License, or
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce (at your option) any later version.
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce This program is distributed in the hope that it will be useful,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce but WITHOUT ANY WARRANTY; without even the implied warranty of
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce GNU General Public License for more details.
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce You should have received a copy of the GNU General Public License
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce along with this program. If not, see <http://www.gnu.org/licenses/>.
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce#define IPA_EXT_GROUPS_FILTER "objectClass=ipaexternalgroup"
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidênciostatic errno_t process_ext_groups(TALLOC_CTX *mem_ctx, size_t reply_count,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek const char **ext_sids;
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek const char **mof;
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = sss_hash_create(mem_ctx, reply_count, &ext_group_hash);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce for (g = 0; g < reply_count; g++) {
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = sysdb_attrs_get_string_array(reply[g], "ipaExternalMember",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce /* no external members, try next external group. */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce "sysdb_attrs_get_string_array failed.\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = sysdb_attrs_get_string_array(reply[g], "memberOf",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce /* no IPA groups, try next external group. */
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "sysdb_attrs_get_string_array failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek /* hash_lookup does not modify key.str. */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_OP_FAILURE, "Unexpected value type.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek /* hash_enter does not modify m_key.str. */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_TRACE_ALL, "Adding group [%s] to SID [%s].\n",
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n");
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidêncio ret = sss_hash_create(ext_group_hash, 5, &m_hash);
60612b5fbdaaa62ebe6c7f4c27200316f08506d6Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
60612b5fbdaaa62ebe6c7f4c27200316f08506d6Jakub Hrozek "Adding SID [%s] to external group hash.\n", key.str);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce /* hash_enter does not modify m_key.str. */
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_TRACE_ALL, "Adding group [%s] to SID [%s].\n",
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorcestatic errno_t find_ipa_ext_memberships(TALLOC_CTX *mem_ctx,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce const char *sid;
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = sysdb_initgroups(tmp_ctx, user_dom, user_name, &result);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "sysdb_initgroups failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_MINOR_FAILURE, "User [%s] not found in cache.\n",
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek ret = sss_hash_create(tmp_ctx, 10, &group_hash);
a8361f37af31a8a9767056bd27c418c947293f56Fabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce /* The IPA external domains can have references to group and user SIDs.
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce * This means that we not only want to look up the group SIDs but the SID
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce * of the user (first element of result) as well. */
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce sid = ldb_msg_find_attr_as_string(result->msgs[c], SYSDB_SID_STR,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_MINOR_FAILURE, "Group [%s] does not have a SID.\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = hash_lookup(ext_group_hash, &key, &value);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "SID [%s] not found in ext group hash.\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = hash_enter(group_hash, &entry->key, &entry->value);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Failed to add group [%s].\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed for SID [%s].\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "No external groupmemberships found.\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce groups = talloc_zero_array(mem_ctx, char *, g_count + 1);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n");
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidêncio while ((entry = iter->next(iter)) != NULL) {
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidêncio groups[c] = talloc_strdup(groups, entry->key.str);
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce user_dn = ldb_dn_copy(mem_ctx, result->msgs[0]->dn);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorcestatic errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce subfilter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_ORIG_DN, groups[c]);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidêncio ret = sysdb_search_groups(tmp_ctx, group_dom, subfilter, NULL,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n",
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n");
d806427f200dc1ffd44d37724eb40125af5cc8c2Fabiano Fidêncio/* TODO? Do we have to remove members as well? I think not because the AD
d806427f200dc1ffd44d37724eb40125af5cc8c2Fabiano Fidêncio * query before removes all memberships. */
d806427f200dc1ffd44d37724eb40125af5cc8c2Fabiano Fidêncio ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "sysdb_mod_group_member failed.\n");
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF,
d806427f200dc1ffd44d37724eb40125af5cc8c2Fabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
d806427f200dc1ffd44d37724eb40125af5cc8c2Fabiano Fidêncio /* mark group as already processed */
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidênciostatic struct tevent_req *ipa_add_ad_memberships_send(TALLOC_CTX *mem_ctx,
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidênciostatic void ipa_add_ad_memberships_done(struct tevent_req *subreq);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidênciostatic void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidênciostatic void ipa_get_ext_groups_done(struct tevent_req *subreq);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidênciostatic errno_t ipa_add_ext_groups_step(struct tevent_req *req);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidênciostatic errno_t ipa_add_ad_memberships_recv(struct tevent_req *req,
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidênciostruct tevent_req *ipa_get_ad_memberships_send(TALLOC_CTX *mem_ctx,
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio req = tevent_req_create(mem_ctx, &state, struct get_ad_membership_state);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio if (((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio && (ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_USER)
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "Unsupported request type.\n");
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio state->user_name = talloc_strdup(state, ar->filter_value);
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "talloc_Strdup failed.\n");
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek server_mode->ext_groups = talloc_zero(server_mode,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n");
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce if (server_mode->ext_groups->next_update > time(NULL)) {
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_TRACE_FUNC, "External group information still valid.\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ext_groups_step failed.\n");
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n",
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio tevent_req_set_callback(subreq, ipa_get_ad_memberships_connect_done, req);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozekstatic void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq)
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce struct tevent_req *req = tevent_req_callback_data(subreq,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek struct get_ad_membership_state *state = tevent_req_data(req,
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = sdap_id_op_connect_recv(subreq, &state->dp_error);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "No IPA server is available, going offline\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek "Failed to connect to IPA server: [%d](%s)\n",
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = domain_to_basedn(state, state->domain, &basedn);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek dp_opt_get_int(state->sdap_id_ctx->opts->basic,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce tevent_req_set_callback(subreq, ipa_get_ext_groups_done, req);
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidênciostatic void ipa_get_ext_groups_done(struct tevent_req *subreq)
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidêncio struct tevent_req *req = tevent_req_callback_data(subreq,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce struct get_ad_membership_state *state = tevent_req_data(req,
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n",
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidêncio ret = process_ext_groups(state->server_mode->ext_groups,
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidêncio state->reply_count, state->reply, &ext_group_hash);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek state->server_mode->ext_groups->ext_groups = ext_group_hash;
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek /* Do we have to make the update timeout configurable? */
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek state->server_mode->ext_groups->next_update = time(NULL) + 10;
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidêncio DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ext_groups_step failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozekstatic errno_t ipa_add_ext_groups_step(struct tevent_req *req)
ab7b33fd7d820688545d5994a402cedf4bcdb6e1Fabiano Fidêncio struct get_ad_membership_state *state = tevent_req_data(req,
f35f4e4c8bd5b834504c0554552d78db3624706aFabiano Fidêncio ret = find_ipa_ext_memberships(state, state->user_name, state->user_dom,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "find_ipa_ext_memberships failed.\n");
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_TRACE_ALL, "No external groups memberships found.\n");
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce subreq = ipa_add_ad_memberships_send(state, state->ev, state->sdap_id_ctx,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ad_memberships_send failed.\n");
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce tevent_req_set_callback(subreq, ipa_add_ad_memberships_done, req);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozekstatic void ipa_add_ad_memberships_done(struct tevent_req *subreq)
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce struct get_ad_membership_state *state = tevent_req_data(req,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = ipa_add_ad_memberships_recv(subreq, &state->dp_error);
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ad_memberships request failed.\n");
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozekerrno_t ipa_get_ad_memberships_recv(struct tevent_req *req, int *dp_error_out)
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek struct get_ad_membership_state *state = tevent_req_data(req,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorcestatic void ipa_add_ad_memberships_connect_done(struct tevent_req *subreq);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorcestatic void ipa_add_ad_memberships_get_next(struct tevent_req *req);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorcestatic void ipa_add_ad_memberships_get_group_done(struct tevent_req *subreq);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorcestatic struct tevent_req *ipa_add_ad_memberships_send(TALLOC_CTX *mem_ctx,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce req = tevent_req_create(mem_ctx, &state, struct add_ad_membership_state);
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek state->group_sdom = sdap_domain_get(sdap_id_ctx->opts, group_dom);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek ret = add_ad_user_to_cached_groups(user_dn, user_dom, group_dom, groups,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "add_ad_user_to_cached_groups failed.\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_TRACE_ALL, "All groups found in cache.\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n",
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce tevent_req_set_callback(subreq, ipa_add_ad_memberships_connect_done, req);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozekstatic void ipa_add_ad_memberships_connect_done(struct tevent_req *subreq)
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce struct tevent_req *req = tevent_req_callback_data(subreq,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce struct add_ad_membership_state *state = tevent_req_data(req,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce ret = sdap_id_op_connect_recv(subreq, &state->dp_error);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce "No IPA server is available, going offline\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce "Failed to connect to IPA server: [%d](%s)\n",
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorcestatic void ipa_add_ad_memberships_get_next(struct tevent_req *req)
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek struct add_ad_membership_state *state = tevent_req_data(req,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek ret = add_ad_user_to_cached_groups(state->user_dn, state->user_dom,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "add_ad_user_to_cached_groups failed.\n");
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "There are unresolved external group "
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce "memberships even after all groups "
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce "have been looked up on the LDAP "
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek "server.\n");
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce group_dn = ldb_dn_new(state, sysdb_ctx_get_ldb(state->group_dom->sysdb),
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n");
73ce539aa70f43ccd5302b3ef8a02ff028558b12Jakub Hrozek "Invalid group DN [%s].\n", state->groups[state->iter]);
73ce539aa70f43ccd5302b3ef8a02ff028558b12Jakub Hrozek/* TODO: here is would be useful for have a filter type like BE_FILTER_DN to
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek * directly fetch the group with the corresponding DN. */
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce false, false);
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorce DEBUG(SSSDBG_OP_FAILURE, "groups_get_send failed.\n");
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce tevent_req_set_callback(subreq, ipa_add_ad_memberships_get_group_done, req);
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorcestatic void ipa_add_ad_memberships_get_group_done(struct tevent_req *subreq)
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek struct tevent_req *req = tevent_req_callback_data(subreq,
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek struct add_ad_membership_state *state = tevent_req_data(req,
a9d46b86993ee8d87fddf0ba50665c0b1b78ebb7Simo Sorce ret = groups_get_recv(subreq, &state->dp_error, NULL);
8bb2fcbce7c3fcfd986f1bc835fbcc43ac7cd9d1Jakub Hrozek DEBUG(SSSDBG_OP_FAILURE, "Failed to read group [%s] from LDAP [%d](%s)\n",
e625eb47a3091d92eda2271b123f8aab06227b63Simo Sorcestatic errno_t ipa_add_ad_memberships_recv(struct tevent_req *req,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorce struct add_ad_membership_state *state = tevent_req_data(req,
1dd679584241a0f9b29072c7eed1c5c5e4a577e4Simo Sorcesearch_user_or_group_by_sid_str(TALLOC_CTX *mem_ctx,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce /* In theory SID shouldn't contain any special LDAP characters, but let's
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek * be paranoid
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = sss_filter_sanitize(tmp_ctx, sid_str, &sanitized_sid);
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce ret = sysdb_search_user_by_sid_str(tmp_ctx, domain,
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek ret = sysdb_search_group_by_sid_str(tmp_ctx, domain,
6c82774653f37945bdd0a311eb1ecc289cac683dLukas Slebodnik DEBUG(SSSDBG_TRACE_FUNC, "Found %s in sysdb\n", sid_str);
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce "Error looking for %s in sysdb [%d]: %s\n",
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce ret = search_user_or_group_by_sid_str(tmp_ctx, member_dom, ext_member,
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio "Error looking up sid %s: [%d]: %s\n",
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce ret = sysdb_msg2attrs(tmp_ctx, 1, &msg, &members);
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce "Could not convert result to sysdb_attrs [%d]: %s\n",
8f2a34cc6964a1f80a1434e05315a7ae0bb5774eSimo Sorce /* Return the member both expired and valid */
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce expire = ldb_msg_find_attr_as_uint64(msg, SYSDB_CACHE_EXPIRE, 0);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "%s is expired", ext_member);
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek/* For the IPA external member resolution, we expect a SID as the input.
7128fadade544efcd86b113a5090b00d20993671Jakub Hrozek * The _recv() function output is the member and a type (user/group)
625bb2ddf15e8f305a53afa44e87f2146fa930afSimo Sorce * since nothing else can be a group member.
const char *ext_member,
void *pvt)
return NULL;
goto immediate;
goto immediate;
goto immediate;
goto immediate;
goto immediate;
return req;
return req;
struct tevent_req);
struct ipa_ext_member_state);
int err_maj;
int err_min;
const char *err_msg;
&msg);
struct ipa_ext_member_state);
if (_dom) {
return EOK;