IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT

Browse Source 
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Sumit Bose
2019-06-14 11:13:54 +02:00
committed by Alexander Bokovoy
parent 076d955b93
commit 9fe984fed7
3 changed files with 61 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
View File

@@ -62,10 +62,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) {
return NSS_STATUS_SUCCESS; return NSS_STATUS_SUCCESS;
case ENOENT: case ENOENT:
return NSS_STATUS_NOTFOUND; return NSS_STATUS_NOTFOUND;
case ETIME:
/* fall-through */
case ERANGE: case ERANGE:
return NSS_STATUS_TRYAGAIN; return NSS_STATUS_TRYAGAIN;
case ETIME:
/* fall-through */
case ETIMEDOUT: case ETIMEDOUT:
/* fall-through */ /* fall-through */
default: default:

77
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
View File

@@ -523,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) { if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0'; locat[0] = '\0';
} else { } else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_INVALID_SYNTAX;
goto done; goto done;
} }
} }
@@ -568,10 +568,12 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
ret = getgrgid_r_wrapper(ctx, ret = getgrgid_r_wrapper(ctx,
groups[c], &grp, &buf, &buf_len); groups[c], &grp, &buf, &buf_len);
if (ret != 0) { if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) { if (ret == ENOENT) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
} }
goto done; goto done;
} }
@@ -634,7 +636,7 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) { if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0'; locat[0] = '\0';
} else { } else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_INVALID_SYNTAX;
goto done; goto done;
} }
} }
@@ -836,6 +838,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
|| id_type == SSS_ID_TYPE_BOTH)) { || id_type == SSS_ID_TYPE_BOTH)) {
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
set_err_msg(req, "Failed to lookup SID by UID"); set_err_msg(req, "Failed to lookup SID by UID");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
@@ -847,10 +851,12 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
} else { } else {
ret = getpwuid_r_wrapper(ctx, uid, &pwd, &buf, &buf_len); ret = getpwuid_r_wrapper(ctx, uid, &pwd, &buf, &buf_len);
if (ret != 0) { if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) { if (ret == ENOENT) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
} }
goto done; goto done;
} }
@@ -862,6 +868,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data"); set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
} }
@@ -907,6 +915,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
if (ret != 0 || id_type != SSS_ID_TYPE_GID) { if (ret != 0 || id_type != SSS_ID_TYPE_GID) {
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
set_err_msg(req, "Failed to lookup SID by GID"); set_err_msg(req, "Failed to lookup SID by GID");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
@@ -918,10 +928,12 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
} else { } else {
ret = getgrgid_r_wrapper(ctx, gid, &grp, &buf, &buf_len); ret = getgrgid_r_wrapper(ctx, gid, &grp, &buf, &buf_len);
if (ret != 0) { if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) { if (ret == ENOENT) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
} }
goto done; goto done;
} }
@@ -933,6 +945,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data"); set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
} }
@@ -976,6 +990,8 @@ static int handle_cert_request(struct ipa_extdom_ctx *ctx,
if (ret != 0) { if (ret != 0) {
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
set_err_msg(req, "Failed to lookup name by certificate"); set_err_msg(req, "Failed to lookup name by certificate");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
@@ -1020,6 +1036,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
if (ret != 0) { if (ret != 0) {
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
set_err_msg(req, "Failed to lookup name by SID"); set_err_msg(req, "Failed to lookup name by SID");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
@@ -1057,10 +1075,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
case SSS_ID_TYPE_BOTH: case SSS_ID_TYPE_BOTH:
ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len); ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
if (ret != 0) { if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) { if (ret == ENOENT) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
} }
goto done; goto done;
} }
@@ -1072,6 +1092,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data"); set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
} }
@@ -1089,10 +1111,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
case SSS_ID_TYPE_GID: case SSS_ID_TYPE_GID:
ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len); ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
if (ret != 0) { if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) { if (ret == ENOENT) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
} }
goto done; goto done;
} }
@@ -1104,6 +1128,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data"); set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
} }
@@ -1167,6 +1193,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
if (ret != 0) { if (ret != 0) {
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
set_err_msg(req, "Failed to lookup SID by name"); set_err_msg(req, "Failed to lookup SID by name");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
@@ -1190,6 +1218,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data"); set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
} }
@@ -1205,6 +1235,9 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
} else if (ret == ENOMEM || ret == ERANGE) { } else if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;
goto done; goto done;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
goto done;
} else { /* no user entry found */ } else { /* no user entry found */
/* according to the getpwnam() man page there are a couple of /* according to the getpwnam() man page there are a couple of
* error codes which can indicate that the user was not found. To * error codes which can indicate that the user was not found. To
@@ -1212,10 +1245,12 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
* errors. */ * errors. */
ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len); ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
if (ret != 0) { if (ret != 0) {
if (ret == ENOMEM || ret == ERANGE) { if (ret == ENOENT) {
ret = LDAP_OPERATIONS_ERROR;
} else {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
} }
goto done; goto done;
} }
@@ -1226,6 +1261,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
|| id_type == SSS_ID_TYPE_BOTH)) { || id_type == SSS_ID_TYPE_BOTH)) {
if (ret == ENOENT) { if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT; ret = LDAP_NO_SUCH_OBJECT;
} else if (ret == ETIMEDOUT || ret == ETIME) {
ret = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
set_err_msg(req, "Failed to read original data"); set_err_msg(req, "Failed to read original data");
ret = LDAP_OPERATIONS_ERROR; ret = LDAP_OPERATIONS_ERROR;

2
daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
View File

@@ -242,6 +242,8 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
if (ret == LDAP_NO_SUCH_OBJECT) { if (ret == LDAP_NO_SUCH_OBJECT) {
rc = LDAP_NO_SUCH_OBJECT; rc = LDAP_NO_SUCH_OBJECT;
} else if (ret == LDAP_TIMELIMIT_EXCEEDED) {
rc = LDAP_TIMELIMIT_EXCEEDED;
} else { } else {
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
err_msg = "Failed to handle the request.\n"; err_msg = "Failed to handle the request.\n";