ldap group fixes

Review Request #2501 — Created Jan. 28, 2020 and submitted

jbk
illumos-gate
12236, 12240
general

Fixes using DNs to enumerate posixGroup membership for non-AD LDAP servers

Prior to fixes, ldap groups did not show up, and did not list any secondary members. With the fix, groups now show up and list members correctly.

  • 0
  • 0
  • 2
  • 0
  • 2
Description From Last Updated
citrus
  1. Ship It!
  2. 
      
mbarden
  1. 
      
  2. usr/src/lib/libsldap/common/ns_reads.c (Diff revision 1)
     
     
    Could you explain the use of UIDFILTER here? Previously, this would have been _NIS_FILTER ("nisdomain=*") when used in find_domainname. What's the goal of the change? Is it to restrict results to those with a 'uid' field defined?
    
    Additionally, UIDFILTER is "(&(objectclass=posixAccount)(uid=%s))". Is the %s getting filled in implicitly somewhere? __ns_ldap_uid2dn() has to fill it in manually.
  3. 
      
jbk
  1. 
      
  2. usr/src/lib/libsldap/common/ns_reads.c (Diff revision 1)
     
     

    This should be strdup(dn_data->lkd_filter). In the end it turns out it's not used -- the only thing that uses the ns_ldap_search_desc_t->filter is __s_api_merge_SSD_filter() which uses the SSD filter to set ns_ldap_cookie_t->i_filter in __ns_ldap_list() as the search state machine iterates through . Since __ns_ldap_list(), isn't used, __s_api_merge_SSD_filter() isn't called, and the field is not touched.

    It also doesn't make much semantic sense since SSDs are used to search multiple locations, and in this case we aren't really searching -- we're retrieving a specific entry. However, the original find_domainname does set the filter field, so I meant to do the same (even if it's not used). I will post an update shortly with the fixed version.

  3. 
      
jbk
mbarden
  1. Ship It!
  2. 
      
jbk
Review request changed

Status: Closed (submitted)

Loading...