[PATCHES] idmap_rfc2307: Fix handling of cn realm
Christof Schmitt
cs at samba.org
Wed Dec 9 19:59:04 UTC 2015
From 8f6c242568420c686475c4d9da150be86de39f75 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 8 Dec 2015 11:52:41 -0700
Subject: [PATCH 1/2] idmap_rfc2307: Fix handling of cn realm
When cn_realm was set, the idmap_rfc2307 module tried to determine the
realm from the AD connection struct. In case of referring to a different
domain using the ldap_domain config option, the wrong realm was used.
Since the LDAP-server case already requires having the realm in the
config, extend that to the AD case to fix the issue: Having LDAP records
with @realm in the cn, now always requires having the realm in the
config.
Now cn_realm and ldap_realm always would have to be specified together,
so replace the two options with a single "realm" option.
Signed-off-by: Christof Schmitt <cs at samba.org>
---
source3/winbindd/idmap_rfc2307.c | 39 +++++++++++++------------------------
1 files changed, 14 insertions(+), 25 deletions(-)
diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index 6b3ab4a..3ef10f6 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -38,7 +38,6 @@ struct idmap_rfc2307_context {
const char *bind_path_user;
const char *bind_path_group;
const char *ldap_domain;
- bool cn_realm;
bool user_cn;
const char *realm;
@@ -82,9 +81,6 @@ static NTSTATUS idmap_rfc2307_ads_check_connection(struct idmap_domain *dom)
status = ads_idmap_cached_connection(&ctx->ads, dom_name);
if (ADS_ERR_OK(status)) {
ctx->ldap = ctx->ads->ldap.ld;
- if (ctx->cn_realm) {
- ctx->realm = ctx->ads->server.realm;
- }
} else {
DEBUG(1, ("Could not connect to domain %s: %s\n", dom->name,
ads_errstr(status)));
@@ -172,7 +168,7 @@ static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
NTSTATUS ret;
char *url;
char *secret = NULL;
- const char *ldap_url, *user_dn, *ldap_realm;
+ const char *ldap_url, *user_dn;
TALLOC_CTX *mem_ctx = ctx;
ldap_url = lp_parm_const_string(-1, config_option, "ldap_url", NULL);
@@ -204,21 +200,6 @@ static NTSTATUS idmap_rfc2307_init_ldap(struct idmap_rfc2307_context *ctx,
ctx->search = idmap_rfc2307_ldap_search;
- if (ctx->cn_realm) {
- ldap_realm = lp_parm_const_string(-1, config_option,
- "ldap_realm", NULL);
- if (!ldap_realm) {
- DEBUG(1, ("ERROR: cn_realm set, "
- "but ldap_realm is missing\n"));
- ret = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
- ctx->realm = talloc_strdup(mem_ctx, ldap_realm);
- if (!ctx->realm) {
- ret = NT_STATUS_NO_MEMORY;
- }
- }
-
done:
talloc_free(url);
return ret;
@@ -276,7 +257,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx,
continue;
}
- if (ctx->cn_realm) {
+ if (ctx->realm != NULL) {
/* Strip @realm from user or group name */
char *delim;
@@ -487,7 +468,7 @@ static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
switch(lsa_type) {
case SID_NAME_USER:
id->xid.type = map->type = ID_TYPE_UID;
- if (ctx->user_cn && ctx->cn_realm) {
+ if (ctx->user_cn && ctx->realm != NULL) {
name = talloc_asprintf(mem_ctx, "%s@%s",
name, ctx->realm);
}
@@ -497,7 +478,7 @@ static NTSTATUS idmap_rfc_2307_sids_to_names(TALLOC_CTX *mem_ctx,
case SID_NAME_DOM_GRP:
case SID_NAME_ALIAS:
case SID_NAME_WKN_GRP:
- if (ctx->cn_realm) {
+ if (ctx->realm != NULL) {
name = talloc_asprintf(mem_ctx, "%s@%s",
name, ctx->realm);
}
@@ -781,7 +762,7 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
{
struct idmap_rfc2307_context *ctx;
char *cfg_opt;
- const char *bind_path_user, *bind_path_group, *ldap_server;
+ const char *bind_path_user, *bind_path_group, *ldap_server, *realm;
NTSTATUS status;
ctx = talloc_zero(domain, struct idmap_rfc2307_context);
@@ -842,7 +823,15 @@ static NTSTATUS idmap_rfc2307_initialize(struct idmap_domain *domain)
goto err;
}
- ctx->cn_realm = lp_parm_bool(-1, cfg_opt, "cn_realm", false);
+ realm = lp_parm_const_string(-1, cfg_opt, "realm", NULL);
+ if (realm) {
+ ctx->realm = talloc_strdup(ctx, realm);
+ if (ctx->realm == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
+ }
+
ctx->user_cn = lp_parm_bool(-1, cfg_opt, "user_cn", false);
domain->private_data = ctx;
--
1.7.1
From 5117a868ff37bb807e592831f7fb45d246e46cd1 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Tue, 8 Dec 2015 12:04:22 -0700
Subject: [PATCH 2/2] docs-xml: Update idmap_rfc2307 manpage for new realm handling
Now there is only "realm" as a config option; it replaces "cn_realm" and
"ldap_realm".
Signed-off-by: Christof Schmitt <cs at samba.org>
---
docs-xml/manpages/idmap_rfc2307.8.xml | 13 +++----------
1 files changed, 3 insertions(+), 10 deletions(-)
diff --git a/docs-xml/manpages/idmap_rfc2307.8.xml b/docs-xml/manpages/idmap_rfc2307.8.xml
index 095e035..8df4d53 100644
--- a/docs-xml/manpages/idmap_rfc2307.8.xml
+++ b/docs-xml/manpages/idmap_rfc2307.8.xml
@@ -88,11 +88,11 @@
no.</para></listitem>
</varlistentry>
<varlistentry>
- <term>cn_realm = <yes | no></term>
+ <term>realm</term>
<listitem><para>Append @realm to cn for groups
(and users if user_cn is set) in
- LDAP. This option is not required, the default
- is no.</para></listitem>
+ LDAP queries. This option is not required, the default
+ is not to append the realm.</para></listitem>
</varlistentry>
<varlistentry>
<term>ldap_domain</term>
@@ -124,13 +124,6 @@
absent, an anonymous bind will be
performed.</para></listitem>
</varlistentry>
- <varlistentry>
- <term>ldap_realm</term>
- <listitem><para>Defines the realm to use in
- the user and group names. This is only
- required when using cn_realm together with a
- stand-alone ldap server.</para></listitem>
- </varlistentry>
</variablelist>
</refsect1>
--
1.7.1
More information about the samba-technical
mailing list