[Freeipa-devel] [PATCH] slapi-nis support for trusted domains

Nalin Dahyabhai nalin at redhat.com
Thu Aug 1 20:00:47 UTC 2013 

On Wed, Jul 31, 2013 at 03:53:21PM +0300, Alexander Bokovoy wrote:
> Authentication is handled for both IPA and trusted domain users. The
> former case requires some specific handling of the SLAPI_BIND_TARGET_SDN
> to rewrite it to the original entry's DN. As result successful bind
> looks like this in the dirsrv logs:
> [31/Jul/2013:15:49:03 +0300] conn=15 fd=79 slot=79 SSL connection from 192.168.111.216 to 192.168.111.216
> [31/Jul/2013:15:49:03 +0300] conn=15 SSL 256-bit AES
> [31/Jul/2013:15:49:03 +0300] conn=15 op=0 BIND dn="uid=admin,cn=users,cn=compat,dc=example,dc=com" method=128 version=3
> [31/Jul/2013:15:49:03 +0300] conn=15 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(uid=foobar)" attrs=ALL
> [31/Jul/2013:15:49:03 +0300] conn=15 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"

The RESULT dn being different from the BIND dn is easy to miss, but it
should prevent possible problems where a given user can be bound to more
than one DN, depending on where they started, so I guess it's fine.

On to specific patches:
HEAD~11 looks fine.
HEAD~10:
* Add internal whitespace when computing the value to pass to
  slapi_ch_malloc().
* Break the declaration and initialization of "str" into two lines.
* Use '\0' to terminate str instead of 0.
* In the new comment in format.h, NULL should be NUL.
HEAD~9 looks fine.
HEAD~8:
* In configure.in, drop the hunk that changes the version number that we
  pass to AC_INIT.
* In configure.in, one test compares x$use_sss_nss_idmap != xno, while
  one shortly after compares $use_sss_nss_idmap = yes.  If
  $use_sss_nss_idmap can be empty, then the second test needs to be
  ready for that.
* The help text still refers to SSSD specifically, when the code doesn't
  enforce or guarantee that SSSD's involved when performing nsswitch
  lookups or PAM authentication.
HEAD~7:
* Fix formatting of wrapped lines when calling backend_shr_get_vattr_str().
* Check for errors when converting the configured sssd_min_id to a number
  by switching from atol() to strtol() or strtoul().
HEAD~6:
* Drop extra whitespace after the type of the "name" member when
  defining struct backend_search_filter_config.
* backend_search_filter_has_cn_uid() allocates config->name using
  slapi_ch_malloc(), but it is later freed by free().
* backend_retrieve_user_entry_from_sssd(): fix line wrapping in
  function signature.
* backend_retrieve_user_entry_from_sssd() needs to handle ERANGE errors.
* backend_retrieve_user_entry_from_sssd(): avoid using
  slapi_entry_attr_set_int(), which will treat an unsigned 32-bit
  with the high bit set as a negative value
* backend_retrieve_user_entry_from_sssd(): check for zero-length
  pw_shell value, and avoid adding it as a loginShell value, since
  that'd be invalid
* backend_retrieve_user_entry_from_sssd() adds "ipaNTUserAttrs" as an
  objectClass in the temporary entry, but the value isn't copied into
  the cache.  What purpose does it serve?
* backend_retrieve_user_entry_from_sssd(): extra whitespace when
  constructing the new entry's DN.
* backend_retrieve_user_entry_from_sssd(): memory leak from not freeing
  the result of slapi_escape_filter_value().
* backend_retrieve_group_entry_from_sssd(): fix line wrapping in
  function signature.
* backend_retrieve_group_entry_from_sssd() needs to handle ERANGE errors.
* backend_retrieve_group_entry_from_sssd(): extra whitespace when
  constructing the new entry's DN.
* backend_retrieve_group_entry_from_sssd(): memory leak from not freeing
  the result of slapi_escape_filter_value().
* backend_retrieve_group_entry_from_sssd() adds "ipaNTGroupAttrs" as an
  objectClass in the temporary entry, but the value isn't copied into
  the cache.  What purpose does it serve?
* backend_retrieve_group_list_from_sssd() needs to handle ERANGE errors.
* backend_retrieve_group_entry_from_sssd(): avoid using
  slapi_entry_attr_set_int(), which will treat an unsigned 32-bit
  with the high bit set as a negative value
* backend_retrieve_group_list_from_sssd(): check for NULL result from
  realloc().
* backend_search_sssd(): fix line wrapping for call to
  slapi_filter_apply().
* backend_search_sssd(): use strtol() or strtoul() to convert a value to
  a number, and check for errors.
* backend_search_sssd(): staged->container_sdn/map_group/map_set are
  allocated with slapi_ch_strdup() but freed with free() later.
* backend_retrieve_from_sssd(): check for NULL result from malloc().
* backend_retrieve_from_sssd(): fix line wrapping for calls to
  backend_retrieve_user/group_entry_from_sssd.
HEAD~5:
* free_pam_response() uses slapi_ch_free() to free memory that was
  probably allocated with malloc().
* pam_conv_func(): remove extra whitespace in call to slapi_pblock_get()
* pam_conv_func(): use malloc() instead of slapi_ch_calloc() to allocate
  replies, because plugins tend to be use free() to free them.
* pam_conv_func(): replace if/else-if/else-if/else-if stacks with a
  switch() statement.
* do_pam_auth(): fix line wrapping in function signature.
* do_pam_auth(): comments suggest that it's just entered or left a
  critical section, when the function's been called in one.
* do_pam_auth(): replace if/else-if/else-if/else-if stacks with a
  switch() statement.
* do_pam_auth(): fix line wrapping when calling PR_smprintf().
HEAD~4:
* Also needs to add back-sch.h to nisserver_plugin_la_SOURCES.
HEAD~3:
* backend_search_find_set_data_in_group_cb(): fix line wrapping in
  function signature.
* backend_search_cb() looks like it'll leak staged->entries[i] if
  another thread has added a similarly-named entry to the cache.
* backend_search_cb() now appears to be freeing the closest-match
  as part of a conditional clause, right before it would unconditionally
  do so.
* backend_search_cb() doesn't need to cast cbdata.sssd_buffer_len before
  comparing it to -1.
HEAD~2:
* backend_bind_cb() allocates strings with slapi_ch_strdup() and
  slapi_entry_attr_get_charptr() but frees them with free().
* backend_bind_cb() should avoid having to cast away a "const" by using
  non-const variables for the saved copies of the group and set names.
HEAD~1:
* Drop the version number change.
HEAD:
* Doesn't mention the PAM service used for authentication, which it
  probably should.  Still, a good start.

Thanks,

Nalin

More information about the Freeipa-devel mailing list