diff --git a/0001-Require-existence-of-GID-number-and-name-in-group-se.patch b/0001-Require-existence-of-GID-number-and-name-in-group-se.patch new file mode 100644 index 0000000..d06bc39 --- /dev/null +++ b/0001-Require-existence-of-GID-number-and-name-in-group-se.patch @@ -0,0 +1,150 @@ +From 2c97299c19a71aa41eef3f3155c24347cf392615 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Fri, 11 Mar 2011 05:06:48 -0500 +Subject: [PATCH 1/2] Require existence of GID number and name in group searches + +https://fedorahosted.org/sssd/ticket/824 +--- + src/providers/ldap/ldap_id.c | 9 ++++++--- + src/providers/ldap/ldap_id_enum.c | 28 ++++++++++++++++------------ + src/providers/ldap/sdap_async_accounts.c | 30 ++++++++++++++++++++---------- + 3 files changed, 42 insertions(+), 25 deletions(-) + +diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c +index 9a234280082f7396eda4307e9e4bb4bd63b5615c..776df1ac2d9e983a792fbba0f6773c082898708d 100644 +--- a/src/providers/ldap/ldap_id.c ++++ b/src/providers/ldap/ldap_id.c +@@ -335,9 +335,12 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, + goto fail; + } + +- state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", +- attr_name, clean_name, +- ctx->opts->group_map[SDAP_OC_GROUP].name); ++ state->filter = ++ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", ++ attr_name, clean_name, ++ ctx->opts->group_map[SDAP_OC_GROUP].name, ++ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, ++ ctx->opts->group_map[SDAP_AT_GROUP_GID].name); + if (!state->filter) { + DEBUG(2, ("Failed to build filter\n")); + ret = ENOMEM; +diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c +index f47ee9fbe170bae0058a682a3a051df21cfbc0d6..42c2911926602bfc2e3a33a0af837d6e809ee68b 100644 +--- a/src/providers/ldap/ldap_id_enum.c ++++ b/src/providers/ldap/ldap_id_enum.c +@@ -546,19 +546,23 @@ static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx, + state->op = op; + + if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) { +- state->filter = talloc_asprintf(state, +- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))", +- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, +- ctx->opts->group_map[SDAP_OC_GROUP].name, +- ctx->opts->group_map[SDAP_AT_GROUP_USN].name, +- ctx->srv_opts->max_group_value, +- ctx->opts->group_map[SDAP_AT_GROUP_USN].name, +- ctx->srv_opts->max_group_value); ++ state->filter = talloc_asprintf( ++ state, ++ "(&(objectclass=%s)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))", ++ ctx->opts->group_map[SDAP_OC_GROUP].name, ++ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, ++ ctx->opts->group_map[SDAP_AT_GROUP_GID].name, ++ ctx->opts->group_map[SDAP_AT_GROUP_USN].name, ++ ctx->srv_opts->max_group_value, ++ ctx->opts->group_map[SDAP_AT_GROUP_USN].name, ++ ctx->srv_opts->max_group_value); + } else { +- state->filter = talloc_asprintf(state, +- "(&(%s=*)(objectclass=%s))", +- ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, +- ctx->opts->group_map[SDAP_OC_GROUP].name); ++ state->filter = talloc_asprintf( ++ state, ++ "(&(objectclass=%s)(%s=*)(%s=*))", ++ ctx->opts->group_map[SDAP_OC_GROUP].name, ++ ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, ++ ctx->opts->group_map[SDAP_AT_GROUP_GID].name); + } + if (!state->filter) { + DEBUG(2, ("Failed to build filter\n")); +diff --git a/src/providers/ldap/sdap_async_accounts.c b/src/providers/ldap/sdap_async_accounts.c +index 8e459598674d589c0cdfcece125c183f7c95bb4d..3fedf07da7fbdc9409f5360ba8301158a65014cd 100644 +--- a/src/providers/ldap/sdap_async_accounts.c ++++ b/src/providers/ldap/sdap_async_accounts.c +@@ -2007,10 +2007,12 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, + return NULL; + } + +- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", ++ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + opts->group_map[SDAP_AT_GROUP_MEMBER].name, + clean_name, +- opts->group_map[SDAP_OC_GROUP].name); ++ opts->group_map[SDAP_OC_GROUP].name, ++ opts->group_map[SDAP_AT_GROUP_NAME].name, ++ opts->group_map[SDAP_AT_GROUP_GID].name); + if (!filter) { + talloc_zfree(req); + return NULL; +@@ -2211,8 +2213,10 @@ static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, + return NULL; + } + +- state->filter = talloc_asprintf(state, "(objectclass=%s)", +- opts->group_map[SDAP_OC_GROUP].name); ++ state->filter = talloc_asprintf(state, "(&(objectclass=%s)(%s=*)(%s=*))", ++ opts->group_map[SDAP_OC_GROUP].name, ++ opts->group_map[SDAP_AT_GROUP_NAME].name, ++ opts->group_map[SDAP_AT_GROUP_GID].name); + if (!state->filter) { + talloc_zfree(req); + return NULL; +@@ -3103,8 +3107,10 @@ static errno_t sdap_nested_group_lookup_group(struct tevent_req *req) + } + + filter = talloc_asprintf( +- sdap_attrs, "(objectclass=%s)", +- state->opts->group_map[SDAP_OC_GROUP].name); ++ sdap_attrs, "(&(objectclass=%s)(%s=*)(%s=*))", ++ state->opts->group_map[SDAP_OC_GROUP].name, ++ state->opts->group_map[SDAP_AT_GROUP_NAME].name, ++ state->opts->group_map[SDAP_AT_GROUP_GID].name); + if (!filter) { + talloc_free(sdap_attrs); + return ENOMEM; +@@ -3435,10 +3441,12 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send( + return NULL; + } + +- filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", ++ filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + opts->group_map[SDAP_AT_GROUP_MEMBER].name, + clean_orig_dn, +- opts->group_map[SDAP_OC_GROUP].name); ++ opts->group_map[SDAP_OC_GROUP].name, ++ opts->group_map[SDAP_AT_GROUP_NAME].name, ++ opts->group_map[SDAP_AT_GROUP_GID].name); + if (!filter) { + talloc_zfree(req); + return NULL; +@@ -3839,10 +3847,12 @@ static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) + } + + filter = talloc_asprintf( +- tmp_ctx, "(&(%s=%s)(objectclass=%s))", ++ tmp_ctx, "(&(%s=%s)(objectclass=%s)(%s=*)(%s=*))", + state->opts->group_map[SDAP_AT_GROUP_MEMBER].name, + clean_orig_dn, +- state->opts->group_map[SDAP_OC_GROUP].name); ++ state->opts->group_map[SDAP_OC_GROUP].name, ++ state->opts->group_map[SDAP_AT_GROUP_NAME].name, ++ state->opts->group_map[SDAP_AT_GROUP_GID].name); + if (!filter) { + ret = ENOMEM; + goto error; +-- +1.7.4 + diff --git a/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch b/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch new file mode 100644 index 0000000..fb0a554 --- /dev/null +++ b/0002-Require-existence-of-username-uid-and-gid-for-user-e.patch @@ -0,0 +1,55 @@ +From c6f9fcdbf62d616f9fc89b7695aa48fa4c8ebd80 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 14 Mar 2011 09:56:22 -0400 +Subject: [PATCH 2/2] Require existence of username, uid and gid for user enumeration + +We will ignore users that do not have these three values. +--- + src/providers/ldap/ldap_id_enum.c | 30 ++++++++++++++++++------------ + 1 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c +index 42c2911926602bfc2e3a33a0af837d6e809ee68b..6899b87c08b46c3c2b61fcd975ab14a4118cc918 100644 +--- a/src/providers/ldap/ldap_id_enum.c ++++ b/src/providers/ldap/ldap_id_enum.c +@@ -441,19 +441,25 @@ static struct tevent_req *enum_users_send(TALLOC_CTX *memctx, + state->op = op; + + if (ctx->srv_opts && ctx->srv_opts->max_user_value && !purge) { +- state->filter = talloc_asprintf(state, +- "(&(%s=*)(objectclass=%s)(%s>=%s)(!(%s=%s)))", +- ctx->opts->user_map[SDAP_AT_USER_NAME].name, +- ctx->opts->user_map[SDAP_OC_USER].name, +- ctx->opts->user_map[SDAP_AT_USER_USN].name, +- ctx->srv_opts->max_user_value, +- ctx->opts->user_map[SDAP_AT_USER_USN].name, +- ctx->srv_opts->max_user_value); ++ state->filter = talloc_asprintf( ++ state, ++ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))", ++ ctx->opts->user_map[SDAP_OC_USER].name, ++ ctx->opts->user_map[SDAP_AT_USER_NAME].name, ++ ctx->opts->user_map[SDAP_AT_USER_UID].name, ++ ctx->opts->user_map[SDAP_AT_USER_GID].name, ++ ctx->opts->user_map[SDAP_AT_USER_USN].name, ++ ctx->srv_opts->max_user_value, ++ ctx->opts->user_map[SDAP_AT_USER_USN].name, ++ ctx->srv_opts->max_user_value); + } else { +- state->filter = talloc_asprintf(state, +- "(&(%s=*)(objectclass=%s))", +- ctx->opts->user_map[SDAP_AT_USER_NAME].name, +- ctx->opts->user_map[SDAP_OC_USER].name); ++ state->filter = talloc_asprintf( ++ state, ++ "(&(objectclass=%s)(%s=*)(%s=*)(%s=*))", ++ ctx->opts->user_map[SDAP_OC_USER].name, ++ ctx->opts->user_map[SDAP_AT_USER_NAME].name, ++ ctx->opts->user_map[SDAP_AT_USER_UID].name, ++ ctx->opts->user_map[SDAP_AT_USER_GID].name); + } + if (!state->filter) { + DEBUG(2, ("Failed to build filter\n")); +-- +1.7.4 + diff --git a/sssd.spec b/sssd.spec index 2918801..d61476f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 1.5.3 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -17,6 +17,8 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-Require-existence-of-GID-number-and-name-in-group-se.patch +Patch0002: 0002-Require-existence-of-username-uid-and-gid-for-user-e.patch ### Dependencies ### @@ -113,6 +115,9 @@ use with ldap_default_authtok_type = obfuscated_password. %prep %setup -q +%patch0001 -p1 +%patch0002 -p1 + %build autoreconf -ivf %configure \ @@ -272,6 +277,9 @@ fi %postun client -p /sbin/ldconfig %changelog +* Thu Mar 17 2011 Stephen Gallagher - 1.5.3-2 +- Resolves: rhbz#683267 - sssd 1.5.1-9 breaks AD authentication + * Fri Mar 11 2011 Stephen Gallagher - 1.5.3-1 - New upstream release 1.5.3 - Support for libldb >= 1.0.0