IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-kdb: simplify trusted domain parent search

Browse Source 
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.

In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.

For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.

Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Alexander Bokovoy
2016-08-07 21:42:14 +03:00
committed by Martin Babinsky
parent 62be554540
commit a14ebbea89
1 changed files with 14 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@@ -2429,6 +2429,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
char *base = NULL; char *base = NULL;
char *dnstr = NULL; char *dnstr = NULL;
char *dnl = NULL; char *dnl = NULL;
LDAPDN dn = NULL;
char **sid_blacklist_incoming = NULL; char **sid_blacklist_incoming = NULL;
char **sid_blacklist_outgoing = NULL; char **sid_blacklist_outgoing = NULL;
int ret, n, i; int ret, n, i;
@@ -2556,25 +2557,25 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done; goto done;
} }
/* Note that after ldap_str2rdn() call dnl will point to end of one RDN
* which would be '\0' for trust root domain and ',' for subdomain */
dnl--; dnl[0] = '\0'; dnl--; dnl[0] = '\0';
ret = ldap_str2rdn(dnstr, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3); /* Create a DN, which is now everything before the base,
* to get list of rdn values -- the last one would be a root domain.
* Since with cross-forest trust we have to route everything via root
* domain, that is enough for us to assign parentship. */
ret = ldap_str2dn(dnstr, &dn, LDAP_DN_FORMAT_LDAPV3);
if (ret) { if (ret) {
goto done; goto done;
} }
ldap_rdnfree(rdn); rdn = NULL;
for (i = 0; dn[i] != NULL; i++) {
if (dnl[0] != '\0') { rdn = dn[i];
dnl++;
ret = ldap_str2rdn(dnl, &rdn, &dnl, LDAP_DN_FORMAT_LDAPV3);
if (ret) {
goto done;
} }
/* We should have a single AVA in the domain RDN */
t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len); t[n].parent_name = strndup(rdn[0]->la_value.bv_val, rdn[0]->la_value.bv_len);
ldap_rdnfree(rdn);
} ldap_dnfree(dn);
free(dnstr); free(dnstr);
dnstr = NULL; dnstr = NULL;