[Freeipa-devel] [PATCH] slapi-nis: normalize memberUid search filter term for AD users
Alexander Bokovoy
abokovoy at redhat.com
Thu Oct 9 11:01:16 UTC 2014
Hi,
memberUid attribute has case-sensitive comparison defined but when we
construct memberUid for AD users (coming through SSSD), they are
normalized to lower case. Interestingly enough, 'uid' attribute has
case-insensitive comparison.
Work around the issue by low-casing the memberUid search term value when
it is a fully-qualified name (user at domain), meaning we do ask for a SSSD
user.
This is the patch on top of my ID views support patch.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
--
/ Alexander Bokovoy
-------------- next part --------------
From e90135b7a477d15c4349e7d46e4cbf2730a66d71 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 9 Oct 2014 13:52:38 +0300
Subject: [PATCH 2/2] slapi-nis: normalize memberUid search filter when
searching AD users
memberUid attribute uses IA5 String comparison which is case-sensitive.
At the same time, uid attribute uses case-insensitive comparison.
When memberUid is constructed for groups from AD, SSSD normalizes names
to a lower case. slapi-nis records these entries as they produced by SSSD.
However, the search filter is not modified, thus case-sensitive comparison
of memberUid attribute may fail match of the original term.
Workaround the issue by low-casing memberUid term in the search filter
if it includes '@' sign, meaning we are searching on fully-qualified user
name provided by SSSD.
https://bugzilla.redhat.com/show_bug.cgi?id=1130131
---
src/back-sch-nss.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
index 26d4b8c..12ae589 100644
--- a/src/back-sch-nss.c
+++ b/src/back-sch-nss.c
@@ -60,7 +60,7 @@ bvstrprefix(const struct berval *bval, const char *s)
len = strlen(s);
if (len < bval->bv_len) {
- return strncasecmp(bval->bv_val, s, len) != 0;
+ return slapi_utf8ncasecmp((unsigned char *) bval->bv_val, (unsigned char *) s, len) != 0;
}
return 1;
@@ -75,9 +75,9 @@ bvstrcasecmp(const struct berval *bval, const char *s)
len = strlen(s);
if (len == bval->bv_len) {
- return strncasecmp(bval->bv_val, s, len);
+ return slapi_utf8ncasecmp((unsigned char *) bval->bv_val, (unsigned char *) s, len);
}
- c = strncasecmp(bval->bv_val, s, MIN(bval->bv_len, len));
+ c = slapi_utf8ncasecmp((unsigned char *) bval->bv_val, (unsigned char *) s, MIN(bval->bv_len, len));
if (c != 0) {
return c;
}
@@ -111,6 +111,35 @@ backend_search_filter_has_cn_uid(Slapi_Filter *filter, void *arg)
} else if (0 == strcasecmp(filter_type, "cn")) {
config->name_set = TRUE;
} else if (0 == strcasecmp(filter_type, "memberUid")) {
+ /* memberUid is case-sensitive in RFC 2307 but uid is case-insensitive
+ * When memberUid is generated for SSSD-provided entries, it is low-cased,
+ * we need to low case the filter value to actually match it.
+ * However, we will do it only for fully qualified names as they are coming from SSSD. */
+ char *memberUid = NULL;
+ char *lwMemberUid = NULL;
+ unsigned int i = 0;
+
+ for (i=0; i < bval->bv_len ; i++) {
+ if (bval->bv_val[i] == '@')
+ break;
+ }
+
+ if (i < bval->bv_len) {
+ memberUid = slapi_ch_malloc(bval->bv_len + 1);
+ if (memberUid != NULL) {
+ memcpy(memberUid, bval->bv_val, bval->bv_len);
+ memberUid[bval->bv_len] = '\0';
+ lwMemberUid = (char *) slapi_utf8StrToLower((unsigned char*) memberUid);
+ if (lwMemberUid != NULL) {
+ struct berval bval_lw = {0, NULL};
+ bval_lw.bv_len = strlen((const char *) lwMemberUid);
+ bval_lw.bv_val = lwMemberUid;
+ slapi_ber_bvdone(bval);
+ slapi_ber_bvcpy(bval, &bval_lw);
+ }
+ slapi_ch_free_string(&memberUid);
+ }
+ }
config->name_set = TRUE;
config->search_members = TRUE;
} else if ((0 == strcasecmp(filter_type, "objectClass")) &&
--
2.1.0
More information about the Freeipa-devel
mailing list