-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AD: Ignore Foreign Security Principals in groups #7596
Closed
Closed
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
3637db8
Nested groups: Handle Foreign Security Principals correctly (i.e. ign…
ondrejv2 10348f7
Merge branch 'SSSD:master' into references
ondrejv2 6afcc0b
Precision FSP detection update (optional)
ondrejv2 ad457a9
AD: Detect and ignore (for now) Foreign Security Principals
ondrejv2 21e3b85
Merge branch 'SSSD:master' into references
ondrejv2 d27446b
Merge branch 'SSSD:master' into references
ondrejv2 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
why is it needed to remove the map here?
I think this approach is good as well, but you are doing too many shortcuts with this patch.
Imo it would be better to handle the FSPs in
sdap_nested_group_lookup_unknown_send()/recv()
by adding a dedicatedsdap_nested_group_lookup_fsp_send()/recv()
request to handle FSPs in the same way as plain user and group members.bye,
Sumit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
We can't use maps for ldapsearch with multiple object classes in the filter due to the design limitation. I wanted to use single ldap search when detecting FSPs/users. To me it's unnecessary to introduce another
sdap_nested_group_lookup_fsp_send()/recv()
as it would mean another pointless ldapsearch.Since we only require member uid at this stage, there is no real need for maps and we can squeeze both searches into single one.
Ondrej
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
I see your point. But following this thought would mean to refactor
sdap_nested_group_lookup_unknown_send()/recv()
to only send a single ldapsearch which would allow all objectclasses (or at least user, group and fsp) and determine the type of the results based on the objectclass. What do you think?bye,
Sumit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
Well, yes, that would be an ideal case (as the current code is bit "cumbersome") yes.
The problem is, that in order to search for all objectclasses we need to use unmapped search (I've mentioned this in a different PR).
Using unmapped search means
sdap_parse_entry()
will not map entries for us so we gotta do it manually. Now I did it for the user objectclass as it's not a big deal (single attr uid), but not sure what we need for group objectclasses.Ondrej
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
you can just request all attributes and run
sdap_parse_entry()
after the type is known based on the objectclass. There is an example how it can be done insdap_asq_search_parse_entry()
.bye,
Sumit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, but
sdap_parse_entry()
needssdap_msg
parameter, where do I get it fromgroup_ctx
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
instead of using
sdap_get_generic_send()
you can usesdap_get_generic_ext_send()
and add your own parser as a callback. This callback will receivesdap_msg
.HTH
bye,
Sumit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
Sorry, that's bit too complex for me. Can you suggest a suitable code? I can't figure out myself.
Ideally I would like to parse attributes in
sdap_nested_group_lookup_unknown_recv()
if that's possible.Namely I need better replacement of this snippet:
Once I have the parsing done, then I could possibly do the rest myself.
Thanks.
Ondrej