From 4e8781975d539f872e061c751c518eb6cf3529ad Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Jul 21 2017 14:31:34 +0000 Subject: 4.5.3-1: Update to upstream 4.5.3 Signed-off-by: Tomas Krizek --- diff --git a/.gitignore b/.gitignore index 1fe60ea..5c67b0c 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,5 @@ /freeipa-4.5.1.tar.gz.asc /freeipa-4.5.2.tar.gz /freeipa-4.5.2.tar.gz.asc +/freeipa-4.5.3.tar.gz +/freeipa-4.5.3.tar.gz.asc diff --git a/0002-Fix-IP-Address-Checks.patch b/0002-Fix-IP-Address-Checks.patch deleted file mode 100644 index 97d3f84..0000000 --- a/0002-Fix-IP-Address-Checks.patch +++ /dev/null @@ -1,532 +0,0 @@ -From d010191d170c0ebb5f46bac2fc528f788e8ffc41 Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Tue, 13 Jun 2017 17:03:30 +0200 -Subject: [PATCH 1/7] Fix local IP address validation - -Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has -undesirable side effect that CheckedIPAddress object has set self._net -from local interface. - -However with the recent changes, match_local is usually set to False, -thus this side effect stops happening and default mask per address class -is used. This causes validation error because mask on interface and mask -used for provided IP addresses differ (reporducible only with classless -masks). - -FreeIPA should compare only IP addresses with local addresses without masks - -https://pagure.io/freeipa/issue/4317 - -Reviewed-By: David Kupka ---- - ipapython/ipautil.py | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index a277ed8..647ee83 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -216,10 +216,10 @@ class CheckedIPAddress(UnsafeIPAddress): - addr=ifaddr, - netmask=ifdata['netmask'] - )) -- if ifnet == self._net or ( -- self._net is None and ifnet.ip == self): -- self._net = ifnet -+ -+ if ifnet.ip == self: - iface = interface -+ self._net = ifnet - break - - return iface --- -2.9.4 - - -From 4d06f0c52200a4345db36dae3fdbc178f18f2f01 Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Wed, 14 Jun 2017 14:45:03 +0200 -Subject: [PATCH 2/7] ipa-dns-install: remove check for local ip address - -This check was forgotten and will be removed now. - -https://pagure.io/freeipa/issue/4317 - -Reviewed-By: David Kupka ---- - install/tools/ipa-dns-install | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install -index 5bd0ba6..cb6c5d8 100755 ---- a/install/tools/ipa-dns-install -+++ b/install/tools/ipa-dns-install -@@ -47,7 +47,9 @@ def parse_options(): - default=False, help="print debugging information") - parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS", - default=[], action="append", -- type="ip", ip_local=True, help="Master Server IP Address. This option can be used multiple times") -+ type="ip", -+ help="Master Server IP Address. This option can be used " -+ "multiple times") - parser.add_option("--forwarder", dest="forwarders", action="append", - type="ip", help="Add a DNS forwarder. This option can be used multiple times") - parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true", --- -2.9.4 - - -From 0aa0041149f359f1954409baf886d4b31fdadc16 Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Wed, 14 Jun 2017 14:47:23 +0200 -Subject: [PATCH 3/7] refactor CheckedIPAddress class - -Make methods without side effects (setting mask) - -https://pagure.io/freeipa/issue/4317 - -Reviewed-By: David Kupka ---- - ipapython/ipautil.py | 29 ++++++++++++++++++++++------- - 1 file changed, 22 insertions(+), 7 deletions(-) - -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index 647ee83..2c020e3 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -62,6 +62,12 @@ PROTOCOL_NAMES = { - socket.SOCK_DGRAM: 'udp' - } - -+InterfaceDetails = collections.namedtuple( -+ 'InterfaceDetails', [ -+ 'name', # interface name -+ 'ifnet' # network details of interface -+ ]) -+ - - class UnsafeIPAddress(netaddr.IPAddress): - """Any valid IP address with or without netmask.""" -@@ -161,9 +167,12 @@ class CheckedIPAddress(UnsafeIPAddress): - raise ValueError("cannot use multicast IP address {}".format(addr)) - - if match_local: -- if not self.get_matching_interface(): -+ intf_details = self.get_matching_interface() -+ if not intf_details: - raise ValueError('no network interface matches the IP address ' - 'and netmask {}'.format(addr)) -+ else: -+ self.set_ip_net(intf_details.ifnet) - - if self._net is None: - if self.version == 4: -@@ -193,7 +202,8 @@ class CheckedIPAddress(UnsafeIPAddress): - - def get_matching_interface(self): - """Find matching local interface for address -- :return: Interface name or None if no interface has this address -+ :return: InterfaceDetails named tuple or None if no interface has -+ this address - """ - if self.version == 4: - family = netifaces.AF_INET -@@ -204,7 +214,6 @@ class CheckedIPAddress(UnsafeIPAddress): - "Unsupported address family ({})".format(self.version) - ) - -- iface = None - for interface in netifaces.interfaces(): - for ifdata in netifaces.ifaddresses(interface).get(family, []): - -@@ -218,11 +227,17 @@ class CheckedIPAddress(UnsafeIPAddress): - )) - - if ifnet.ip == self: -- iface = interface -- self._net = ifnet -- break -+ return InterfaceDetails(interface, ifnet) - -- return iface -+ def set_ip_net(self, ifnet): -+ """Set IP Network details for this address. IPNetwork is valid only -+ locally, so this should be set only for local IP addresses -+ -+ :param ifnet: netaddr.IPNetwork object with information about IP -+ network where particula address belongs locally -+ """ -+ assert isinstance(ifnet, netaddr.IPNetwork) -+ self._net = ifnet - - - def valid_ip(addr): --- -2.9.4 - - -From 9a924dd8cc27507a70f4ec5020d97417e149e350 Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Wed, 14 Jun 2017 14:54:43 +0200 -Subject: [PATCH 4/7] CheckedIPAddress: remove match_local param - -This parameter is unused in code. We are no longer testing if IP address -matches an interface in constructor. - -https://pagure.io/freeipa/issue/4317 - -Reviewed-By: David Kupka ---- - ipapython/config.py | 5 ++--- - ipapython/ipautil.py | 10 +--------- - ipaserver/install/installutils.py | 2 +- - ipaserver/plugins/dns.py | 4 ++-- - ipaserver/plugins/host.py | 2 +- - ipatests/test_ipapython/test_ipautil.py | 3 +-- - 6 files changed, 8 insertions(+), 18 deletions(-) - -diff --git a/ipapython/config.py b/ipapython/config.py -index 9db2dcd..6349892 100644 ---- a/ipapython/config.py -+++ b/ipapython/config.py -@@ -68,10 +68,9 @@ class IPAFormatter(IndentedHelpFormatter): - def check_ip_option(option, opt, value): - from ipapython.ipautil import CheckedIPAddress - -- ip_local = option.ip_local is True - ip_netmask = option.ip_netmask is True - try: -- return CheckedIPAddress(value, parse_netmask=ip_netmask, match_local=ip_local) -+ return CheckedIPAddress(value, parse_netmask=ip_netmask) - except Exception as e: - raise OptionValueError("option %s: invalid IP address %s: %s" % (opt, value, e)) - -@@ -86,7 +85,7 @@ class IPAOption(Option): - optparse.Option subclass with support of options labeled as - security-sensitive such as passwords. - """ -- ATTRS = Option.ATTRS + ["sensitive", "ip_local", "ip_netmask"] -+ ATTRS = Option.ATTRS + ["sensitive", "ip_netmask"] - TYPES = Option.TYPES + ("ip", "dn") - TYPE_CHECKER = copy(Option.TYPE_CHECKER) - TYPE_CHECKER["ip"] = check_ip_option -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index 2c020e3..5a6bf5a 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -135,7 +135,7 @@ class CheckedIPAddress(UnsafeIPAddress): - - Reserved or link-local addresses are never accepted. - """ -- def __init__(self, addr, match_local=False, parse_netmask=True, -+ def __init__(self, addr, parse_netmask=True, - allow_loopback=False, allow_multicast=False): - try: - super(CheckedIPAddress, self).__init__(addr) -@@ -166,14 +166,6 @@ class CheckedIPAddress(UnsafeIPAddress): - if not allow_multicast and self.is_multicast(): - raise ValueError("cannot use multicast IP address {}".format(addr)) - -- if match_local: -- intf_details = self.get_matching_interface() -- if not intf_details: -- raise ValueError('no network interface matches the IP address ' -- 'and netmask {}'.format(addr)) -- else: -- self.set_ip_net(intf_details.ifnet) -- - if self._net is None: - if self.version == 4: - self._net = netaddr.IPNetwork( -diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py -index 3521d55..01930c4 100644 ---- a/ipaserver/install/installutils.py -+++ b/ipaserver/install/installutils.py -@@ -585,7 +585,7 @@ def get_server_ip_address(host_name, unattended, setup_dns, ip_addresses): - if len(hostaddr): - for ha in hostaddr: - try: -- ips.append(ipautil.CheckedIPAddress(ha, match_local=False)) -+ ips.append(ipautil.CheckedIPAddress(ha)) - except ValueError as e: - root_logger.warning("Invalid IP address %s for %s: %s", ha, host_name, unicode(e)) - -diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py -index f0e6c48..f01baf5 100644 ---- a/ipaserver/plugins/dns.py -+++ b/ipaserver/plugins/dns.py -@@ -567,7 +567,7 @@ def add_records_for_host_validation(option_name, host, domain, ip_addresses, che - for ip_address in ip_addresses: - try: - ip = CheckedIPAddress( -- ip_address, match_local=False, allow_multicast=True) -+ ip_address, allow_multicast=True) - except Exception as e: - raise errors.ValidationError(name=option_name, error=unicode(e)) - -@@ -599,7 +599,7 @@ def add_records_for_host(host, domain, ip_addresses, add_forward=True, add_rever - - for ip_address in ip_addresses: - ip = CheckedIPAddress( -- ip_address, match_local=False, allow_multicast=True) -+ ip_address, allow_multicast=True) - - if add_forward: - add_forward_record(domain, host, unicode(ip)) -diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py -index 1e1f9d8..364e5be 100644 ---- a/ipaserver/plugins/host.py -+++ b/ipaserver/plugins/host.py -@@ -245,7 +245,7 @@ def validate_ipaddr(ugettext, ipaddr): - Verify that we have either an IPv4 or IPv6 address. - """ - try: -- CheckedIPAddress(ipaddr, match_local=False) -+ CheckedIPAddress(ipaddr) - except Exception as e: - return unicode(e) - return None -diff --git a/ipatests/test_ipapython/test_ipautil.py b/ipatests/test_ipapython/test_ipautil.py -index 6427935..9c351bd 100644 ---- a/ipatests/test_ipapython/test_ipautil.py -+++ b/ipatests/test_ipapython/test_ipautil.py -@@ -30,11 +30,10 @@ from ipapython import ipautil - - pytestmark = pytest.mark.tier0 - -- - def make_ipaddress_checker(addr, words=None, prefixlen=None): - def check_ipaddress(): - try: -- ip = ipautil.CheckedIPAddress(addr, match_local=False) -+ ip = ipautil.CheckedIPAddress(addr) - assert ip.words == words and ip.prefixlen == prefixlen - except Exception: - assert words is None and prefixlen is None --- -2.9.4 - - -From 217905a20071b55b50568e8fbb36a8ecde974432 Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Wed, 14 Jun 2017 15:02:21 +0200 -Subject: [PATCH 5/7] Remove ip_netmask from option parser - -ipa-dns-install uses ip_netmask=False --> parse_netmask=False, other installers uses default (parse_netmask=True). -Use this consistent accross all installers. - -Also this option is unused (and shouldn't be used). - -https://pagure.io/freeipa/issue/4317 - -Reviewed-By: David Kupka ---- - ipapython/config.py | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/ipapython/config.py b/ipapython/config.py -index 6349892..19abfc5 100644 ---- a/ipapython/config.py -+++ b/ipapython/config.py -@@ -68,9 +68,8 @@ class IPAFormatter(IndentedHelpFormatter): - def check_ip_option(option, opt, value): - from ipapython.ipautil import CheckedIPAddress - -- ip_netmask = option.ip_netmask is True - try: -- return CheckedIPAddress(value, parse_netmask=ip_netmask) -+ return CheckedIPAddress(value) - except Exception as e: - raise OptionValueError("option %s: invalid IP address %s: %s" % (opt, value, e)) - -@@ -85,7 +84,7 @@ class IPAOption(Option): - optparse.Option subclass with support of options labeled as - security-sensitive such as passwords. - """ -- ATTRS = Option.ATTRS + ["sensitive", "ip_netmask"] -+ ATTRS = Option.ATTRS + ["sensitive"] - TYPES = Option.TYPES + ("ip", "dn") - TYPE_CHECKER = copy(Option.TYPE_CHECKER) - TYPE_CHECKER["ip"] = check_ip_option --- -2.9.4 - - -From 93ef10292ca674842c79da0dab6de6fb63261881 Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Thu, 15 Jun 2017 10:26:03 +0200 -Subject: [PATCH 6/7] replica install: add missing check for non-local IP - address - -Add missing warning for used non-local IP address. - -https://pagure.io/freeipa/issue/4317 - -Reviewed-By: David Kupka ---- - ipaserver/install/server/replicainstall.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 6620f02..9e328bf 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -854,6 +854,7 @@ def install_check(installer): - # check addresses here, dns module is doing own check - network_ip_address_warning(config.ips) - broadcast_ip_address_warning(config.ips) -+ no_matching_interface_for_ip_address_warning(config.ips) - - if options.setup_adtrust: - adtrust.install_check(False, options, remote_api) --- -2.9.4 - - -From 1c961161873c37cb29a51baeeed0e782cd4a1d4d Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Thu, 15 Jun 2017 10:27:55 +0200 -Subject: [PATCH 7/7] Remove network and broadcast address warnings - -We cannot reliably determine when an IP Address is network or broadcast. -We allowed to use non-local IP addresses due container use cases, we -don't know subnets of used IP addresses. - -https://pagure.io/freeipa/issue/4317 - -Reviewed-By: David Kupka ---- - ipaclient/install/client.py | 4 ---- - ipalib/util.py | 20 -------------------- - ipaserver/install/dns.py | 2 -- - ipaserver/install/server/install.py | 4 ---- - ipaserver/install/server/replicainstall.py | 10 +--------- - 5 files changed, 1 insertion(+), 39 deletions(-) - -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index b0de596..c880613 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -38,8 +38,6 @@ from ipalib.install.kinit import kinit_keytab, kinit_password - from ipalib.install.service import enroll_only, prepare_only - from ipalib.rpc import delete_persistent_client_session_data - from ipalib.util import ( -- broadcast_ip_address_warning, -- network_ip_address_warning, - normalize_hostname, - no_matching_interface_for_ip_address_warning, - verify_host_resolvable, -@@ -1299,8 +1297,6 @@ def update_dns(server, hostname, options): - root_logger.info("Failed to determine this machine's ip address(es).") - return - -- network_ip_address_warning(update_ips) -- broadcast_ip_address_warning(update_ips) - no_matching_interface_for_ip_address_warning(update_ips) - - update_txt = "debug\n" -diff --git a/ipalib/util.py b/ipalib/util.py -index 1bd8495..31e7323 100644 ---- a/ipalib/util.py -+++ b/ipalib/util.py -@@ -1110,26 +1110,6 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys): - 'namespace')) - - --def network_ip_address_warning(addr_list): -- for ip in addr_list: -- if ip.is_network_addr(): -- root_logger.warning("IP address %s might be network address", ip) -- # fixme: once when loggers will be fixed, we can remove this -- # print -- print("WARNING: IP address {} might be network address".format(ip), -- file=sys.stderr) -- -- --def broadcast_ip_address_warning(addr_list): -- for ip in addr_list: -- if ip.is_broadcast_addr(): -- root_logger.warning("IP address %s might be broadcast address", ip) -- # fixme: once when loggers will be fixed, we can remove this -- # print -- print("WARNING: IP address {} might be broadcast address".format( -- ip), file=sys.stderr) -- -- - def no_matching_interface_for_ip_address_warning(addr_list): - for ip in addr_list: - if not ip.get_matching_interface(): -diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py -index 090b794..1c1aac0 100644 ---- a/ipaserver/install/dns.py -+++ b/ipaserver/install/dns.py -@@ -264,8 +264,6 @@ def install_check(standalone, api, replica, options, hostname): - ip_addresses = get_server_ip_address(hostname, options.unattended, - True, options.ip_addresses) - -- util.network_ip_address_warning(ip_addresses) -- util.broadcast_ip_address_warning(ip_addresses) - util.no_matching_interface_for_ip_address_warning(ip_addresses) - - if not options.forward_policy: -diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index 7eb291e..dced253 100644 ---- a/ipaserver/install/server/install.py -+++ b/ipaserver/install/server/install.py -@@ -27,8 +27,6 @@ from ipalib import api, errors, x509 - from ipalib.constants import DOMAIN_LEVEL_0 - from ipalib.util import ( - validate_domain_name, -- network_ip_address_warning, -- broadcast_ip_address_warning, - no_matching_interface_for_ip_address_warning, - ) - import ipaclient.install.ntpconf -@@ -616,8 +614,6 @@ def install_check(installer): - options.ip_addresses) - - # check addresses here, dns module is doing own check -- network_ip_address_warning(ip_addresses) -- broadcast_ip_address_warning(ip_addresses) - no_matching_interface_for_ip_address_warning(ip_addresses) - - if options.setup_adtrust: -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 9e328bf..4f28de2 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -32,11 +32,7 @@ from ipaplatform.tasks import tasks - from ipaplatform.paths import paths - from ipalib import api, constants, create_api, errors, rpc, x509 - from ipalib.config import Env --from ipalib.util import ( -- network_ip_address_warning, -- broadcast_ip_address_warning, -- no_matching_interface_for_ip_address_warning, --) -+from ipalib.util import no_matching_interface_for_ip_address_warning - from ipaclient.install.client import configure_krb5_conf, purge_host_keytab - from ipaserver.install import ( - adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance, -@@ -852,8 +848,6 @@ def install_check(installer): - options.ip_addresses) - - # check addresses here, dns module is doing own check -- network_ip_address_warning(config.ips) -- broadcast_ip_address_warning(config.ips) - no_matching_interface_for_ip_address_warning(config.ips) - - if options.setup_adtrust: -@@ -1285,8 +1279,6 @@ def promote_check(installer): - False, options.ip_addresses) - - # check addresses here, dns module is doing own check -- network_ip_address_warning(config.ips) -- broadcast_ip_address_warning(config.ips) - no_matching_interface_for_ip_address_warning(config.ips) - - if options.setup_adtrust: --- -2.9.4 - diff --git a/0003-python-netifaces-update-to-reflect-upstream-changes.patch b/0003-python-netifaces-update-to-reflect-upstream-changes.patch deleted file mode 100644 index 50fad2e..0000000 --- a/0003-python-netifaces-update-to-reflect-upstream-changes.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 56d04b3dccc967630d869006dfbd0003fcfedabe Mon Sep 17 00:00:00 2001 -From: Martin Basti -Date: Fri, 16 Jun 2017 13:42:53 +0200 -Subject: [PATCH] python-netifaces: update to reflect upstream changes - -python-netifaces now provides IPv6 netmask in format mask/prefix. It -breaks freeipa as it is unexpected format for python-netaddr. We must -split netmask and provide only prefix for netaddr. - -https://pagure.io/freeipa/issue/7021 - -Reviewed-By: Martin Babinsky -Reviewed-By: Petr Vobornik ---- - ipapython/ipautil.py | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index 5a6bf5a..1bb48d4 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -197,6 +197,7 @@ class CheckedIPAddress(UnsafeIPAddress): - :return: InterfaceDetails named tuple or None if no interface has - this address - """ -+ root_logger.debug("Searching for an interface of IP address: %s", self) - if self.version == 4: - family = netifaces.AF_INET - elif self.version == 6: -@@ -213,10 +214,20 @@ class CheckedIPAddress(UnsafeIPAddress): - # errors in IPNetwork - ifaddr = ifdata['addr'].split(u'%', 1)[0] - -- ifnet = netaddr.IPNetwork('{addr}/{netmask}'.format( -+ # newer versions of netifaces provide IPv6 netmask in format -+ # 'ffff:ffff:ffff:ffff::/64'. We have to split and use prefix -+ # or the netmask with older versions -+ ifmask = ifdata['netmask'].split(u'/')[-1] -+ -+ ifaddrmask = '{addr}/{netmask}'.format( - addr=ifaddr, -- netmask=ifdata['netmask'] -- )) -+ netmask=ifmask -+ ) -+ root_logger.debug( -+ "Testing local IP address: %s (interface: %s)", -+ ifaddrmask, interface) -+ -+ ifnet = netaddr.IPNetwork(ifaddrmask) - - if ifnet.ip == self: - return InterfaceDetails(interface, ifnet) --- -2.9.4 - diff --git a/0004-ipa-sam-use-own-private-structure-not-ldapsam_privat.patch b/0004-ipa-sam-use-own-private-structure-not-ldapsam_privat.patch deleted file mode 100644 index ff65f04..0000000 --- a/0004-ipa-sam-use-own-private-structure-not-ldapsam_privat.patch +++ /dev/null @@ -1,2721 +0,0 @@ -From 922ef94bb01aca1242d149e693f6161ba3ccf486 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 19 Apr 2017 15:16:15 +0300 -Subject: [PATCH 6/7] ipa-sam: use own private structure, not ldapsam_privates - -With Samba 4.7 access to ldapsam internal structures will not be -available for external applications. FreeIPA's ipasam module was using -those for own needs. Now it needs to migrate to proper own private -structure. - -Given that we anyway need to implement many missing functions like -pdb_update_sam_account() callback with FreeIPA-specific logic, -piggybacking on ldapsam structures is not needed anymore. - -Fixes https://pagure.io/freeipa/issue/6877 ---- - daemons/ipa-sam/ipa_sam.c | 902 ++++++++++++++++++++++++---------------------- - server.m4 | 4 + - 2 files changed, 474 insertions(+), 432 deletions(-) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index 59d92f37c..fe9913d61 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -190,7 +190,19 @@ bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth- - const struct dom_sid global_sid_Builtin = { 1, 1, {0,0,0,0,0,5}, - {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; - --struct ipasam_privates { -+/* With Samba 4.7 ldapsam_privates structure is not public anymore. -+ * FreeIPA needs to use own structure */ -+ -+struct ipasam_private { -+ struct smbldap_state *ldap_state; -+ /* Former statics */ -+ LDAPMessage *result; -+ LDAPMessage *entry; -+ -+ const char *domain_name; -+ struct dom_sid domain_sid; -+ -+ char *domain_dn; - char *realm; - char *base_dn; - char *trust_dn; -@@ -204,7 +216,7 @@ struct ipasam_privates { - }; - - --static NTSTATUS ipasam_get_domain_name(struct ldapsam_privates *ldap_state, -+static NTSTATUS ipasam_get_domain_name(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - char **domain_name); - -@@ -332,9 +344,35 @@ static bool strnequal(const char *s1, const char *s2, size_t n) { - return false; - } - --static LDAP *priv2ld(struct ldapsam_privates *priv) -+static LDAP *_smbldap_get_ldap(struct smbldap_state *state) { -+#ifdef HAVE_SMBLDAP_GET_LDAP -+ return smbldap_get_ldap(state); -+#else -+ return state->ldap_struct; -+#endif -+ -+} -+ -+static bool _smbldap_get_paged_results(struct smbldap_state *state) { -+#ifdef HAVE_SMBLDAP_GET_LDAP -+ return smbldap_get_paged_results(state); -+#else -+ return state->paged_results; -+#endif -+} -+ -+static void _smbldap_set_paged_results(struct smbldap_state *state, -+ bool paged_results) { -+#ifdef HAVE_SMBLDAP_GET_LDAP -+ smbldap_set_paged_results(state, paged_results); -+#else -+ state->paged_results = paged_results; -+#endif -+} -+ -+static LDAP *priv2ld(struct ipasam_private *priv) - { -- return priv->smbldap_state->ldap_struct; -+ return _smbldap_get_ldap(priv->ldap_state); - } - - /* -@@ -508,8 +546,8 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - const char **names, - enum lsa_SidType *attrs) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - LDAPMessage *msg = NULL; - LDAPMessage *entry; - char *allsids = NULL; -@@ -526,7 +564,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - } - - if (!sid_check_is_builtin(domain_sid) && -- dom_sid_compare_domain(&ldap_state->domain_sid, domain_sid) != 0) { -+ dom_sid_compare_domain(&ipasam_state->domain_sid, domain_sid) != 0) { - result = NT_STATUS_INVALID_PARAMETER; - goto done; - } -@@ -570,8 +608,8 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - goto done; - } - -- rc = smbldap_search(ldap_state->smbldap_state, -- ldap_state->ipasam_privates->base_dn, -+ rc = smbldap_search(ipasam_state->ldap_state, -+ ipasam_state->base_dn, - LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0, - &msg); - smbldap_talloc_autofree_ldapmsg(mem_ctx, msg); -@@ -580,7 +618,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - if (rc != LDAP_SUCCESS) - goto done; - -- ld = ldap_state->smbldap_state->ldap_struct; -+ ld = priv2ld(ipasam_state); - num_mapped = 0; - - for (entry = ldap_first_entry(ld, msg); -@@ -591,7 +629,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - const char *name; - - if (!ldapsam_extract_rid_from_entry(ld, entry, -- ldap_state->ipasam_privates->idmap_ctx, -+ ipasam_state->idmap_ctx, - domain_sid, - &rid)) { - DEBUG(2, ("Could not find sid from ldap entry\n")); -@@ -640,8 +678,8 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - goto done; - } - -- rc = smbldap_search(ldap_state->smbldap_state, -- ldap_state->ipasam_privates->base_dn, -+ rc = smbldap_search(ipasam_state->ldap_state, -+ ipasam_state->base_dn, - LDAP_SCOPE_SUBTREE, filter, ldap_attrs, 0, - &msg); - smbldap_talloc_autofree_ldapmsg(mem_ctx, msg); -@@ -652,7 +690,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - - /* ldap_struct might have changed due to a reconnect */ - -- ld = ldap_state->smbldap_state->ldap_struct; -+ ld = priv2ld(ipasam_state); - - /* For consistency checks, we already checked we're only domain or builtin */ - -@@ -678,7 +716,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - } - - if (!ldapsam_extract_rid_from_entry(ld, entry, -- ldap_state->ipasam_privates->idmap_ctx, -+ ipasam_state->idmap_ctx, - domain_sid, &rid)) { - DEBUG(2, ("Could not find sid from ldap entry %s\n", dn)); - continue; -@@ -727,8 +765,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - const struct dom_sid *sid, - struct unixid *id) - { -- struct ldapsam_privates *priv = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *priv = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - char *filter; - const char *attrs[] = { "objectClass", "gidNumber", "uidNumber", - NULL }; -@@ -758,7 +796,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - goto done; - } - -- rc = smbldap_search_suffix(priv->smbldap_state, filter, -+ rc = smbldap_search_suffix(priv->ldap_state, filter, - attrs, &result); - if (rc != LDAP_SUCCESS) { - goto done; -@@ -827,11 +865,11 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - return ret; - } - --static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, -+static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid, - struct dom_sid *sid) - { -- struct ldapsam_privates *priv = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *priv = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - char *filter; - const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL }; - LDAPMessage *result = NULL; -@@ -867,7 +905,7 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, - goto done; - } - -- rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result); -+ rc = smbldap_search_suffix(priv->ldap_state, filter, attrs, &result); - if (rc != LDAP_SUCCESS) { - goto done; - } -@@ -890,7 +928,7 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, - goto done; - } - -- err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx, -+ err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx, - user_sid_string, &user_sid); - if (err != IDMAP_SUCCESS) { - DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", -@@ -912,11 +950,11 @@ done: - return ret; - } - --static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, -+static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid, - struct dom_sid *sid) - { -- struct ldapsam_privates *priv = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *priv = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - char *filter; - const char *attrs[] = { LDAP_ATTRIBUTE_SID, LDAP_ATTRIBUTE_OBJECTCLASS, NULL }; - LDAPMessage *result = NULL; -@@ -947,7 +985,7 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, - goto done; - } - -- rc = smbldap_search_suffix(priv->smbldap_state, filter, attrs, &result); -+ rc = smbldap_search_suffix(priv->ldap_state, filter, attrs, &result); - if (rc != LDAP_SUCCESS) { - goto done; - } -@@ -988,7 +1026,7 @@ found: - "returning fallback group.\n", (unsigned int)gid)); - - sid_copy(sid, -- &priv->ipasam_privates->fallback_primary_group); -+ &priv->fallback_primary_group); - ret = true; - goto done; - -@@ -1002,8 +1040,8 @@ found: - goto done; - } - -- err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx, -- group_sid_string, &group_sid); -+ err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx, -+ group_sid_string, &group_sid); - if (err != IDMAP_SUCCESS) { - DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", - group_sid_string)); -@@ -1031,10 +1069,10 @@ static bool ipasam_id_to_sid(struct pdb_methods *methods, struct unixid *id, str - bool result = false; - - if (id->type != ID_TYPE_GID) { -- result = ldapsam_uid_to_sid(methods, id->id, sid); -+ result = ipasam_uid_to_sid(methods, id->id, sid); - } - if (!result && id->type != ID_TYPE_UID) { -- result = ldapsam_gid_to_sid(methods, id->id, sid); -+ result = ipasam_gid_to_sid(methods, id->id, sid); - } - - return result; -@@ -1112,16 +1150,16 @@ struct ldap_search_state { - struct samr_displayentry *result); - }; - --static bool ldapsam_search_firstpage(struct pdb_search *search) -+static bool ipasam_search_firstpage(struct pdb_search *search) - { - struct ldap_search_state *state = -- (struct ldap_search_state *)search->private_data; -+ talloc_get_type_abort(search->private_data, struct ldap_search_state); - LDAP *ld; - int rc = LDAP_OPERATIONS_ERROR; - - state->entries = NULL; - -- if (state->connection->paged_results) { -+ if (_smbldap_get_paged_results(state->connection)) { - rc = smbldap_search_paged(state->connection, state->base, - state->scope, state->filter, - state->attrs, state->attrsonly, -@@ -1146,10 +1184,10 @@ static bool ldapsam_search_firstpage(struct pdb_search *search) - - /* Ok, the server was lying. It told us it could do paged - * searches when it could not. */ -- state->connection->paged_results = false; -+ _smbldap_set_paged_results(state->connection, false); - } - -- ld = state->connection->ldap_struct; -+ ld = _smbldap_get_ldap(state->connection); - if ( ld == NULL) { - DEBUG(5, ("Don't have an LDAP connection right after a " - "search\n")); -@@ -1160,13 +1198,14 @@ static bool ldapsam_search_firstpage(struct pdb_search *search) - return true; - } - --static bool ldapsam_search_nextpage(struct pdb_search *search) -+static bool ipasam_search_nextpage(struct pdb_search *search) - { - struct ldap_search_state *state = -- (struct ldap_search_state *)search->private_data; -+ talloc_get_type_abort(search->private_data, struct ldap_search_state); -+ LDAP *ld; - int rc; - -- if (!state->connection->paged_results) { -+ if (!_smbldap_get_paged_results(state->connection)) { - /* There is no next page when there are no paged results */ - return false; - } -@@ -1180,7 +1219,14 @@ static bool ldapsam_search_nextpage(struct pdb_search *search) - if ((rc != LDAP_SUCCESS) || (state->entries == NULL)) - return false; - -- state->current_entry = ldap_first_entry(state->connection->ldap_struct, state->entries); -+ ld = _smbldap_get_ldap(state->connection); -+ if ( ld == NULL) { -+ DEBUG(5, ("Don't have an LDAP connection right after a " -+ "search\n")); -+ return false; -+ } -+ state->current_entry = ldap_first_entry(ld, -+ state->entries); - - if (state->current_entry == NULL) { - ldap_msgfree(state->entries); -@@ -1191,38 +1237,44 @@ static bool ldapsam_search_nextpage(struct pdb_search *search) - return true; - } - --static bool ldapsam_search_next_entry(struct pdb_search *search, -+static bool ipasam_search_next_entry(struct pdb_search *search, - struct samr_displayentry *entry) - { - struct ldap_search_state *state = -- (struct ldap_search_state *)search->private_data; -+ talloc_get_type_abort(search->private_data, struct ldap_search_state); - bool result; -+ LDAP *ld; - - retry: - if ((state->entries == NULL) && (state->pagedresults_cookie == NULL)) - return false; - - if ((state->entries == NULL) && -- !ldapsam_search_nextpage(search)) -+ !ipasam_search_nextpage(search)) - return false; - - if (state->current_entry == NULL) { - return false; - } - -+ ld = _smbldap_get_ldap(state->connection); -+ if ( ld == NULL) { -+ DEBUG(5, ("Don't have an LDAP connection right after a " -+ "search\n")); -+ return false; -+ } - result = state->ldap2displayentry(state, search, -- state->connection->ldap_struct, -+ ld, - state->current_entry, entry); - - if (!result) { - char *dn; -- dn = ldap_get_dn(state->connection->ldap_struct, -- state->current_entry); -+ dn = ldap_get_dn(ld, state->current_entry); - DEBUG(5, ("Skipping entry %s\n", dn != NULL ? dn : "")); - if (dn != NULL) ldap_memfree(dn); - } - -- state->current_entry = ldap_next_entry(state->connection->ldap_struct, -+ state->current_entry = ldap_next_entry(ld, - state->current_entry); - - if (state->current_entry == NULL) { -@@ -1235,10 +1287,10 @@ static bool ldapsam_search_next_entry(struct pdb_search *search, - return true; - } - --static void ldapsam_search_end(struct pdb_search *search) -+static void ipasam_search_end(struct pdb_search *search) - { - struct ldap_search_state *state = -- (struct ldap_search_state *)search->private_data; -+ talloc_get_type_abort(search->private_data, struct ldap_search_state); - int rc; - - if (state->pagedresults_cookie == NULL) -@@ -1250,7 +1302,7 @@ static void ldapsam_search_end(struct pdb_search *search) - state->entries = NULL; - state->current_entry = NULL; - -- if (!state->connection->paged_results) -+ if (!_smbldap_get_paged_results(state->connection)) - return; - - /* Tell the LDAP server we're not interested in the rest anymore. */ -@@ -1263,7 +1315,6 @@ static void ldapsam_search_end(struct pdb_search *search) - if (rc != LDAP_SUCCESS) - DEBUG(5, ("Could not end search properly\n")); - -- return; - } - - static bool ldapuser2displayentry(struct ldap_search_state *state, -@@ -1355,12 +1406,12 @@ static bool ldapuser2displayentry(struct ldap_search_state *state, - return true; - } - --static bool ldapsam_search_users(struct pdb_methods *methods, -+static bool ipasam_search_users(struct pdb_methods *methods, - struct pdb_search *search, - uint32_t acct_flags) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - struct ldap_search_state *state; - - state = talloc(search, struct ldap_search_state); -@@ -1369,9 +1420,9 @@ static bool ldapsam_search_users(struct pdb_methods *methods, - return false; - } - -- state->connection = ldap_state->smbldap_state; -+ state->connection = ipasam_state->ldap_state; - -- state->base = talloc_strdup(search, ldap_state->ipasam_privates->base_dn); -+ state->base = talloc_strdup(search, ipasam_state->base_dn); - - state->acct_flags = acct_flags; - state->scope = LDAP_SCOPE_SUBTREE; -@@ -1382,8 +1433,8 @@ static bool ldapsam_search_users(struct pdb_methods *methods, - state->attrsonly = 0; - state->pagedresults_cookie = NULL; - state->entries = NULL; -- state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx; -- state->dom_sid = &ldap_state->domain_sid; -+ state->idmap_ctx = ipasam_state->idmap_ctx; -+ state->dom_sid = &ipasam_state->domain_sid; - state->ldap2displayentry = ldapuser2displayentry; - - if ((state->filter == NULL) || (state->attrs == NULL)) { -@@ -1392,10 +1443,10 @@ static bool ldapsam_search_users(struct pdb_methods *methods, - } - - search->private_data = state; -- search->next_entry = ldapsam_search_next_entry; -- search->search_end = ldapsam_search_end; -+ search->next_entry = ipasam_search_next_entry; -+ search->search_end = ipasam_search_end; - -- return ldapsam_search_firstpage(search); -+ return ipasam_search_firstpage(search); - } - - static bool ldapgroup2displayentry(struct ldap_search_state *state, -@@ -1496,8 +1547,8 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state, - case SID_NAME_DOM_GRP: - case SID_NAME_ALIAS: - -- if (!sid_peek_check_rid(state->dom_sid, sid, &result->rid) -- && !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid)) -+ if (!sid_peek_check_rid(state->dom_sid, sid, &result->rid) && -+ !sid_peek_check_rid(&global_sid_Builtin, sid, &result->rid)) - { - talloc_free(sid); - DEBUG(0, ("SID is not in our domain\n")); -@@ -1517,13 +1568,13 @@ static bool ldapgroup2displayentry(struct ldap_search_state *state, - return true; - } - --static bool ldapsam_search_grouptype(struct pdb_methods *methods, -+static bool ipasam_search_grouptype(struct pdb_methods *methods, - struct pdb_search *search, - const struct dom_sid *sid, - enum lsa_SidType type) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - struct ldap_search_state *state; - - state = talloc(search, struct ldap_search_state); -@@ -1532,8 +1583,8 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods, - return false; - } - -- state->base = talloc_strdup(search, ldap_state->ipasam_privates->base_dn); -- state->connection = ldap_state->smbldap_state; -+ state->base = talloc_strdup(search, ipasam_state->base_dn); -+ state->connection = ipasam_state->ldap_state; - state->scope = LDAP_SCOPE_SUBTREE; - state->filter = talloc_asprintf(search, "(&(objectclass=%s)" - "(%s=%s*))", -@@ -1547,8 +1598,8 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods, - state->pagedresults_cookie = NULL; - state->entries = NULL; - state->group_type = type; -- state->idmap_ctx = ldap_state->ipasam_privates->idmap_ctx; -- state->dom_sid = &ldap_state->domain_sid; -+ state->idmap_ctx = ipasam_state->idmap_ctx; -+ state->dom_sid = &ipasam_state->domain_sid; - state->ldap2displayentry = ldapgroup2displayentry; - - if ((state->filter == NULL) || (state->attrs == NULL)) { -@@ -1557,56 +1608,48 @@ static bool ldapsam_search_grouptype(struct pdb_methods *methods, - } - - search->private_data = state; -- search->next_entry = ldapsam_search_next_entry; -- search->search_end = ldapsam_search_end; -+ search->next_entry = ipasam_search_next_entry; -+ search->search_end = ipasam_search_end; - -- return ldapsam_search_firstpage(search); -+ return ipasam_search_firstpage(search); - } - --static bool ldapsam_search_groups(struct pdb_methods *methods, -+static bool ipasam_search_groups(struct pdb_methods *methods, - struct pdb_search *search) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - -- return ldapsam_search_grouptype(methods, search, -- &ldap_state->domain_sid, -+ return ipasam_search_grouptype(methods, search, -+ &ipasam_state->domain_sid, - SID_NAME_DOM_GRP); - } - --static bool ldapsam_search_aliases(struct pdb_methods *methods, -+static bool ipasam_search_aliases(struct pdb_methods *methods, - struct pdb_search *search, - const struct dom_sid *sid) - { -- return ldapsam_search_groups(methods, search); -+ return ipasam_search_grouptype(methods, search, -+ sid, SID_NAME_ALIAS); - } - -- -- -- -- -- -- -- -- -- - static char *trusted_domain_dn(TALLOC_CTX *mem_ctx, -- struct ldapsam_privates *ldap_state, -+ struct ipasam_private *ipasam_state, - const char *domain) - { - return talloc_asprintf(mem_ctx, "%s=%s,%s", - LDAP_ATTRIBUTE_CN, domain, -- ldap_state->ipasam_privates->trust_dn); -+ ipasam_state->trust_dn); - } - --static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state, -+static NTSTATUS ipasam_get_objectclasses(struct ipasam_private *ipasam_state, - const char *dn, LDAPMessage *entry, - uint32_t *has_objectclass) - { - struct berval **bervals; - size_t c; - -- bervals = ldap_get_values_len(priv2ld(ldap_state), entry, -+ bervals = ldap_get_values_len(priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_OBJECTCLASS); - if (bervals == NULL) { - DEBUG(0, ("Entry [%s] does not have any objectclasses.\n", dn)); -@@ -1643,7 +1686,7 @@ static NTSTATUS ipasam_get_objectclasses(struct ldapsam_privates *ldap_state, - return NT_STATUS_OK; - } - --static bool search_krb_princ(struct ldapsam_privates *ldap_state, -+static bool search_krb_princ(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - const char *princ, const char *base_dn, - LDAPMessage **entry) -@@ -1659,7 +1702,7 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state, - return false; - } - -- rc = smbldap_search(ldap_state->smbldap_state, base_dn, -+ rc = smbldap_search(ipasam_state->ldap_state, base_dn, - LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result); - - if (result != NULL) { -@@ -1675,7 +1718,7 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state, - return false; - } - -- num_result = ldap_count_entries(priv2ld(ldap_state), result); -+ num_result = ldap_count_entries(priv2ld(ipasam_state), result); - - if (num_result > 1) { - DEBUG(1, ("search_krb_princ: more than one object found " -@@ -1688,7 +1731,7 @@ static bool search_krb_princ(struct ldapsam_privates *ldap_state, - "with filter '%s'.\n", filter)); - *entry = NULL; - } else { -- *entry = ldap_first_entry(priv2ld(ldap_state), result); -+ *entry = ldap_first_entry(priv2ld(ipasam_state), result); - } - - return true; -@@ -1701,7 +1744,7 @@ long default_enctypes[DEF_ENCTYPE_NUM] = { - ENCTYPE_ARCFOUR_HMAC - }; - --static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, -+static int set_cross_realm_pw(struct ipasam_private *ipasam_state, - const char *princ, - const char *pwd) - { -@@ -1720,7 +1763,7 @@ static int set_cross_realm_pw(struct ldapsam_privates *ldap_state, - reqdata.bv_len = buflen; - reqdata.bv_val = buffer; - -- ret = smbldap_extended_operation(ldap_state->smbldap_state, -+ ret = smbldap_extended_operation(ipasam_state->ldap_state, - KEYTAB_GET_OID, &reqdata, NULL, NULL, - &retoid, &retdata); - if (ret != LDAP_SUCCESS) { -@@ -1744,7 +1787,7 @@ done: - #define KRB_PRINC_CREATE_DISABLED 0x00000001 - #define KRB_PRINC_CREATE_AGENT_PERMISSION 0x00000002 - --static bool set_krb_princ(struct ldapsam_privates *ldap_state, -+static bool set_krb_princ(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - const char *princ, const char *saltprinc, - const char *pwd, -@@ -1758,17 +1801,17 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, - uint32_t has_objectclass = 0; - NTSTATUS status; - -- if (!search_krb_princ(ldap_state, mem_ctx, princ, base_dn, &entry)) { -+ if (!search_krb_princ(ipasam_state, mem_ctx, princ, base_dn, &entry)) { - return false; - } - - if (entry) { -- dn = get_dn(mem_ctx, priv2ld(ldap_state), entry); -+ dn = get_dn(mem_ctx, priv2ld(ipasam_state), entry); - if (!dn) { - return false; - } - -- status = ipasam_get_objectclasses(ldap_state, dn, entry, -+ status = ipasam_get_objectclasses(ipasam_state, dn, entry, - &has_objectclass); - if (!NT_STATUS_IS_OK(status)) { - return false; -@@ -1810,13 +1853,13 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, - } - - if ((create_flags & KRB_PRINC_CREATE_DISABLED)) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_KRB_TICKET_FLAGS, __TALLOC_STRING_LINE2__(IPASAM_DISALLOW_ALL_TIX)); - } - - if ((create_flags & KRB_PRINC_CREATE_AGENT_PERMISSION)) { - char *agent_dn = NULL; -- agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_AGENTS",%s", ldap_state->ipasam_privates->base_dn); -+ agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_AGENTS",%s", ipasam_state->base_dn); - if (agent_dn == NULL) { - DEBUG(1, ("error configuring cross realm principal data!\n")); - return false; -@@ -1824,29 +1867,29 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, - smbldap_set_mod(&mods, LDAP_MOD_ADD, - LDAP_ATTRIBUTE_OBJECTCLASS, - LDAP_OBJ_IPAOPALLOW); -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn); -- agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_ADMINS",%s", ldap_state->ipasam_privates->base_dn); -+ agent_dn = talloc_asprintf(mem_ctx, LDAP_CN_ADTRUST_ADMINS",%s", ipasam_state->base_dn); - if (agent_dn == NULL) { - DEBUG(1, ("error configuring cross realm principal data for trust admins!\n")); - return false; - } -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_IPAOPALLOW, agent_dn); - } - - - if (entry == NULL) { -- ret = smbldap_add(ldap_state->smbldap_state, dn, mods); -+ ret = smbldap_add(ipasam_state->ldap_state, dn, mods); - } else { -- ret = smbldap_modify(ldap_state->smbldap_state, dn, mods); -+ ret = smbldap_modify(ipasam_state->ldap_state, dn, mods); - } - if (ret != LDAP_SUCCESS) { - DEBUG(1, ("error writing cross realm principal data!\n")); - return false; - } - -- ret = set_cross_realm_pw(ldap_state, saltprinc ? saltprinc : princ, pwd); -+ ret = set_cross_realm_pw(ipasam_state, saltprinc ? saltprinc : princ, pwd); - if (ret != 0) { - DEBUG(1, ("set_cross_realm_pw failed.\n")); - return false; -@@ -1855,7 +1898,7 @@ static bool set_krb_princ(struct ldapsam_privates *ldap_state, - return true; - } - --static bool del_krb_princ(struct ldapsam_privates *ldap_state, -+static bool del_krb_princ(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - const char *princ, const char *base_dn) - { -@@ -1863,17 +1906,17 @@ static bool del_krb_princ(struct ldapsam_privates *ldap_state, - char *dn = NULL; - int ret; - -- if (!search_krb_princ(ldap_state, mem_ctx, princ, base_dn, &entry)) { -+ if (!search_krb_princ(ipasam_state, mem_ctx, princ, base_dn, &entry)) { - return false; - } - - if (entry) { -- dn = get_dn(mem_ctx, priv2ld(ldap_state), entry); -+ dn = get_dn(mem_ctx, priv2ld(ipasam_state), entry); - if (!dn) { - return false; - } - -- ret = smbldap_delete(ldap_state->smbldap_state, dn); -+ ret = smbldap_delete(ipasam_state->ldap_state, dn); - if (ret != LDAP_SUCCESS) { - return false; - } -@@ -1887,7 +1930,7 @@ enum princ_mod { - DEL_PRINC - }; - --static bool handle_cross_realm_princs(struct ldapsam_privates *ldap_state, -+static bool handle_cross_realm_princs(struct ipasam_private *ipasam_state, - const char *domain, const char *pwd, - uint32_t trust_direction, - enum princ_mod mod) -@@ -1912,18 +1955,18 @@ static bool handle_cross_realm_princs(struct ldapsam_privates *ldap_state, - goto done; - } - -- trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain); -+ trusted_dn = trusted_domain_dn(tmp_ctx, ipasam_state, domain); - - princ_l = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", remote_realm, -- ldap_state->ipasam_privates->realm); -+ ipasam_state->realm); - princ_r = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", -- ldap_state->ipasam_privates->realm, remote_realm); -+ ipasam_state->realm, remote_realm); - - princ_tdo = talloc_asprintf(tmp_ctx, "%s$@%s", -- ldap_state->ipasam_privates->flat_name, remote_realm); -+ ipasam_state->flat_name, remote_realm); - - saltprinc_tdo = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", -- ldap_state->ipasam_privates->flat_name, remote_realm); -+ ipasam_state->flat_name, remote_realm); - - if (trusted_dn == NULL || princ_l == NULL || - princ_r == NULL || princ_tdo == NULL || saltprinc_tdo == NULL) { -@@ -1934,23 +1977,23 @@ static bool handle_cross_realm_princs(struct ldapsam_privates *ldap_state, - switch (mod) { - case SET_PRINC: - /* Create Kerberos principal for inbound trust, enabled by default */ -- ok = set_krb_princ(ldap_state, tmp_ctx, princ_r, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT); -+ ok = set_krb_princ(ipasam_state, tmp_ctx, princ_r, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT); - /* Create Kerberos principal corresponding to TDO in AD for SSSD usage, disabled by default */ -- ok |= set_krb_princ(ldap_state, tmp_ctx, princ_tdo, saltprinc_tdo, pwd, trusted_dn, -+ ok |= set_krb_princ(ipasam_state, tmp_ctx, princ_tdo, saltprinc_tdo, pwd, trusted_dn, - KRB_PRINC_CREATE_DISABLED | KRB_PRINC_CREATE_AGENT_PERMISSION); - if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) { - /* Create Kerberos principal for outbound trust, enabled by default */ -- ok |= set_krb_princ(ldap_state, tmp_ctx, princ_l, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT); -+ ok |= set_krb_princ(ipasam_state, tmp_ctx, princ_l, NULL, pwd, trusted_dn, KRB_PRINC_CREATE_DEFAULT); - } - if (!ok) { - goto done; - } - break; - case DEL_PRINC: -- ok = del_krb_princ(ldap_state, tmp_ctx, princ_r, trusted_dn); -- ok |= del_krb_princ(ldap_state, tmp_ctx, princ_tdo, trusted_dn); -+ ok = del_krb_princ(ipasam_state, tmp_ctx, princ_r, trusted_dn); -+ ok |= del_krb_princ(ipasam_state, tmp_ctx, princ_tdo, trusted_dn); - if ((trust_direction & LSA_TRUST_DIRECTION_OUTBOUND) != 0) { -- ok |= del_krb_princ(ldap_state, tmp_ctx, princ_l, trusted_dn); -+ ok |= del_krb_princ(ipasam_state, tmp_ctx, princ_l, trusted_dn); - } - if (!ok) { - goto done; -@@ -1968,20 +2011,20 @@ done: - return ok; - } - --static bool set_cross_realm_princs(struct ldapsam_privates *ldap_state, -+static bool set_cross_realm_princs(struct ipasam_private *ipasam_state, - const char *domain, const char *pwd, uint32_t trust_direction) - { -- return handle_cross_realm_princs(ldap_state, domain, pwd, trust_direction, SET_PRINC); -+ return handle_cross_realm_princs(ipasam_state, domain, pwd, trust_direction, SET_PRINC); - } - --static bool del_cross_realm_princs(struct ldapsam_privates *ldap_state, -+static bool del_cross_realm_princs(struct ipasam_private *ipasam_state, - const char *domain) - { - uint32_t trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND; -- return handle_cross_realm_princs(ldap_state, domain, NULL, trust_direction, DEL_PRINC); -+ return handle_cross_realm_princs(ipasam_state, domain, NULL, trust_direction, DEL_PRINC); - } - --static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state, -+static bool get_trusted_domain_int(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - const char *filter, LDAPMessage **entry) - { -@@ -1989,8 +2032,8 @@ static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state, - LDAPMessage *result = NULL; - uint32_t num_result; - -- rc = smbldap_search(ldap_state->smbldap_state, -- ldap_state->ipasam_privates->trust_dn, -+ rc = smbldap_search(ipasam_state->ldap_state, -+ ipasam_state->trust_dn, - LDAP_SCOPE_SUBTREE, filter, NULL, 0, &result); - - if (result != NULL) { -@@ -2006,7 +2049,7 @@ static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state, - return false; - } - -- num_result = ldap_count_entries(priv2ld(ldap_state), result); -+ num_result = ldap_count_entries(priv2ld(ipasam_state), result); - - if (num_result > 1) { - DEBUG(1, ("get_trusted_domain_int: more than one " -@@ -2021,13 +2064,13 @@ static bool get_trusted_domain_int(struct ldapsam_privates *ldap_state, - LDAP_OBJ_TRUSTED_DOMAIN, filter)); - *entry = NULL; - } else { -- *entry = ldap_first_entry(priv2ld(ldap_state), result); -+ *entry = ldap_first_entry(priv2ld(ipasam_state), result); - } - - return true; - } - --static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state, -+static bool get_trusted_domain_by_name_int(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - const char *domain, - LDAPMessage **entry) -@@ -2044,13 +2087,13 @@ static bool get_trusted_domain_by_name_int(struct ldapsam_privates *ldap_state, - return false; - } - -- ok = get_trusted_domain_int(ldap_state, mem_ctx, filter, entry); -+ ok = get_trusted_domain_int(ipasam_state, mem_ctx, filter, entry); - talloc_free(filter); - - return ok; - } - --static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state, -+static bool get_trusted_domain_by_sid_int(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - const char *sid, LDAPMessage **entry) - { -@@ -2064,13 +2107,13 @@ static bool get_trusted_domain_by_sid_int(struct ldapsam_privates *ldap_state, - return false; - } - -- ok = get_trusted_domain_int(ldap_state, mem_ctx, filter, entry); -+ ok = get_trusted_domain_int(ipasam_state, mem_ctx, filter, entry); - talloc_free(filter); - - return ok; - } - --static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state, -+static bool get_uint32_t_from_ldap_msg(struct ipasam_private *ipasam_state, - LDAPMessage *entry, - const char *attr, - uint32_t *val) -@@ -2079,7 +2122,7 @@ static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state, - long int l; - char *endptr; - -- dummy = get_single_attribute(NULL, priv2ld(ldap_state), entry, attr); -+ dummy = get_single_attribute(NULL, priv2ld(ipasam_state), entry, attr); - if (dummy == NULL) { - DEBUG(9, ("Attribute %s not present.\n", attr)); - *val = 0; -@@ -2100,7 +2143,7 @@ static bool get_uint32_t_from_ldap_msg(struct ldapsam_privates *ldap_state, - } - - static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, -- struct ldapsam_privates *ldap_state, -+ struct ipasam_private *ipasam_state, - LDAPMessage *entry, - struct pdb_trusted_domain **_td) - { -@@ -2121,14 +2164,14 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - - /* All attributes are MAY */ - -- dummy = get_single_attribute(NULL, priv2ld(ldap_state), entry, -+ dummy = get_single_attribute(NULL, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_TRUST_SID); - if (dummy == NULL) { - DEBUG(9, ("Attribute %s not present.\n", - LDAP_ATTRIBUTE_TRUST_SID)); - ZERO_STRUCT(td->security_identifier); - } else { -- err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx, -+ err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx, - dummy, &sid); - TALLOC_FREE(dummy); - if (err != IDMAP_SUCCESS) { -@@ -2138,34 +2181,34 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - talloc_free(sid); - } - -- if (!smbldap_talloc_single_blob(td, priv2ld(ldap_state), entry, -+ if (!smbldap_talloc_single_blob(td, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING, - &td->trust_auth_incoming)) { - DEBUG(9, ("Failed to set incoming auth info.\n")); - } - - -- if (!smbldap_talloc_single_blob(td, priv2ld(ldap_state), entry, -+ if (!smbldap_talloc_single_blob(td, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING, - &td->trust_auth_outgoing)) { - DEBUG(9, ("Failed to set outgoing auth info.\n")); - } - -- td->netbios_name = get_single_attribute(td, priv2ld(ldap_state), entry, -+ td->netbios_name = get_single_attribute(td, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_FLAT_NAME); - if (td->netbios_name == NULL) { - DEBUG(9, ("Attribute %s not present.\n", - LDAP_ATTRIBUTE_FLAT_NAME)); - } - -- td->domain_name = get_single_attribute(td, priv2ld(ldap_state), entry, -+ td->domain_name = get_single_attribute(td, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_TRUST_PARTNER); - if (td->domain_name == NULL) { - DEBUG(9, ("Attribute %s not present.\n", - LDAP_ATTRIBUTE_TRUST_PARTNER)); - } - -- res = get_uint32_t_from_ldap_msg(ldap_state, entry, -+ res = get_uint32_t_from_ldap_msg(ipasam_state, entry, - LDAP_ATTRIBUTE_TRUST_DIRECTION, - &td->trust_direction); - if (!res) { -@@ -2176,7 +2219,7 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - td->trust_direction = LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND; - } - -- res = get_uint32_t_from_ldap_msg(ldap_state, entry, -+ res = get_uint32_t_from_ldap_msg(ipasam_state, entry, - LDAP_ATTRIBUTE_TRUST_ATTRIBUTES, - &td->trust_attributes); - if (!res) { -@@ -2187,7 +2230,7 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; - } - -- res = get_uint32_t_from_ldap_msg(ldap_state, entry, -+ res = get_uint32_t_from_ldap_msg(ipasam_state, entry, - LDAP_ATTRIBUTE_TRUST_TYPE, - &td->trust_type); - if (!res) { -@@ -2202,7 +2245,7 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - if (td->trust_posix_offset == NULL) { - return false; - } -- res = get_uint32_t_from_ldap_msg(ldap_state, entry, -+ res = get_uint32_t_from_ldap_msg(ipasam_state, entry, - LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET, - td->trust_posix_offset); - if (!res) { -@@ -2213,17 +2256,17 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - if (td->supported_enc_type == NULL) { - return false; - } -- res = get_uint32_t_from_ldap_msg(ldap_state, entry, -+ res = get_uint32_t_from_ldap_msg(ipasam_state, entry, - LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE, - td->supported_enc_type); - if (!res) { - return false; - } - if (*td->supported_enc_type == 0) { -- *td->supported_enc_type = ldap_state->ipasam_privates->supported_enctypes; -+ *td->supported_enc_type = ipasam_state->supported_enctypes; - } - -- if (!smbldap_talloc_single_blob(td, priv2ld(ldap_state), entry, -+ if (!smbldap_talloc_single_blob(td, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO, - &td->trust_forest_trust_info)) { - DEBUG(9, ("Failed to set forest trust info.\n")); -@@ -2239,13 +2282,13 @@ static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods, - const char *domain, - struct pdb_trusted_domain **td) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - LDAPMessage *entry = NULL; - - DEBUG(10, ("ipasam_get_trusted_domain called for domain %s\n", domain)); - -- if (!get_trusted_domain_by_name_int(ldap_state, mem_ctx, domain, -+ if (!get_trusted_domain_by_name_int(ipasam_state, mem_ctx, domain, - &entry)) { - return NT_STATUS_UNSUCCESSFUL; - } -@@ -2255,7 +2298,7 @@ static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods, - return NT_STATUS_NO_SUCH_DOMAIN; - } - -- if (!fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td)) { -+ if (!fill_pdb_trusted_domain(mem_ctx, ipasam_state, entry, td)) { - return NT_STATUS_UNSUCCESSFUL; - } - -@@ -2267,8 +2310,8 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods, - struct dom_sid *sid, - struct pdb_trusted_domain **td) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - LDAPMessage *entry = NULL; - char *sid_str; - bool ok; -@@ -2281,7 +2324,7 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods, - DEBUG(10, ("ipasam_get_trusted_domain_by_sid called for sid %s\n", - sid_str)); - -- ok = get_trusted_domain_by_sid_int(ldap_state, mem_ctx, sid_str, -+ ok = get_trusted_domain_by_sid_int(ipasam_state, mem_ctx, sid_str, - &entry); - talloc_free(sid_str); - if (!ok) { -@@ -2293,7 +2336,7 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods, - return NT_STATUS_NO_SUCH_DOMAIN; - } - -- ok = fill_pdb_trusted_domain(mem_ctx, ldap_state, entry, td); -+ ok = fill_pdb_trusted_domain(mem_ctx, ipasam_state, entry, td); - if (!ok) { - return NT_STATUS_UNSUCCESSFUL; - } -@@ -2377,8 +2420,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - const char* domain, - const struct pdb_trusted_domain *td) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - LDAPMessage *entry = NULL; - LDAPMod **mods; - bool res; -@@ -2399,7 +2442,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - return NT_STATUS_NO_MEMORY; - } - -- res = get_trusted_domain_by_name_int(ldap_state, tmp_ctx, domain, -+ res = get_trusted_domain_by_name_int(ipasam_state, tmp_ctx, domain, - &entry); - if (!res) { - status = NT_STATUS_UNSUCCESSFUL; -@@ -2408,44 +2451,44 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - - mods = NULL; - if (entry == NULL) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, "objectClass", - LDAP_OBJ_TRUSTED_DOMAIN); -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, "objectClass", -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, "objectClass", - LDAP_OBJ_ID_OBJECT); - } - - if (entry != NULL) { -- sid = get_single_attribute(tmp_ctx, priv2ld(ldap_state), entry, -+ sid = get_single_attribute(tmp_ctx, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_SID); - } - if (entry == NULL || sid == NULL) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR); -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_GIDNUMBER, -- ldap_state->ipasam_privates->fallback_primary_group_gid_str); -+ ipasam_state->fallback_primary_group_gid_str); - } - - if (td->netbios_name != NULL) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_FLAT_NAME, - td->netbios_name); - } - - if (td->domain_name != NULL) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_TRUST_PARTNER, - td->domain_name); - } - - if (!is_null_sid(&td->security_identifier)) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_TRUST_SID, - sid_string_talloc(tmp_ctx, &td->security_identifier)); - } - - if (td->trust_type != 0) { -- res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, -+ res = smbldap_make_mod_uint32_t(priv2ld(ipasam_state), entry, - &mods, LDAP_ATTRIBUTE_TRUST_TYPE, - td->trust_type); - if (!res) { -@@ -2455,7 +2498,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - } - - if (td->trust_attributes != 0) { -- res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, -+ res = smbldap_make_mod_uint32_t(priv2ld(ipasam_state), entry, - &mods, - LDAP_ATTRIBUTE_TRUST_ATTRIBUTES, - td->trust_attributes); -@@ -2466,7 +2509,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - } - - if (td->trust_direction != 0) { -- res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, -+ res = smbldap_make_mod_uint32_t(priv2ld(ipasam_state), entry, - &mods, - LDAP_ATTRIBUTE_TRUST_DIRECTION, - td->trust_direction); -@@ -2481,7 +2524,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - trust_offset = *td->trust_posix_offset; - } - -- res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, -+ res = smbldap_make_mod_uint32_t(priv2ld(ipasam_state), entry, - &mods, - LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET, - trust_offset); -@@ -2490,12 +2533,12 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - goto done; - } - -- enctypes = ldap_state->ipasam_privates->supported_enctypes; -+ enctypes = ipasam_state->supported_enctypes; - if (td->supported_enc_type != NULL) { - enctypes = *td->supported_enc_type; - } - -- res = smbldap_make_mod_uint32_t(priv2ld(ldap_state), entry, -+ res = smbldap_make_mod_uint32_t(priv2ld(ipasam_state), entry, - &mods, - LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE, - enctypes); -@@ -2505,38 +2548,38 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - } - - if (td->trust_auth_outgoing.data != NULL) { -- smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod_blob(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_TRUST_AUTH_OUTGOING, - &td->trust_auth_outgoing); - } - - if (td->trust_auth_incoming.data != NULL) { -- smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod_blob(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_TRUST_AUTH_INCOMING, - &td->trust_auth_incoming); - } - - if (td->trust_forest_trust_info.data != NULL) { -- smbldap_make_mod_blob(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod_blob(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO, - &td->trust_forest_trust_info); - } - - - /* Only add default blacklists for incoming and outgoing SIDs but don't modify existing ones */ -- in_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry, -+ in_blacklist = get_attribute_values(tmp_ctx, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, &count); -- out_blacklist = get_attribute_values(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry, -+ out_blacklist = get_attribute_values(tmp_ctx, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, &count); - - for (i = 0; ipa_mspac_well_known_sids[i]; i++) { - if (in_blacklist == NULL) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_SID_BLACKLIST_INCOMING, - ipa_mspac_well_known_sids[i]); - } - if (out_blacklist == NULL) { -- smbldap_make_mod(priv2ld(ldap_state), entry, &mods, -+ smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_SID_BLACKLIST_OUTGOING, - ipa_mspac_well_known_sids[i]); - } -@@ -2545,16 +2588,16 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - smbldap_talloc_autofree_ldapmod(tmp_ctx, mods); - - if (mods != NULL) { -- trusted_dn = trusted_domain_dn(tmp_ctx, ldap_state, domain); -+ trusted_dn = trusted_domain_dn(tmp_ctx, ipasam_state, domain); - if (trusted_dn == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - if (entry == NULL) { -- ret = smbldap_add(ldap_state->smbldap_state, trusted_dn, mods); -+ ret = smbldap_add(ipasam_state->ldap_state, trusted_dn, mods); - } else { -- ret = smbldap_modify(ldap_state->smbldap_state, trusted_dn, mods); -+ ret = smbldap_modify(ipasam_state->ldap_state, trusted_dn, mods); - } - if (ret != LDAP_SUCCESS) { - DEBUG(1, ("error writing trusted domain data!\n")); -@@ -2569,7 +2612,7 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - if (!NT_STATUS_IS_OK(status)) { - goto done; - } -- res = set_cross_realm_princs(ldap_state, td->domain_name, -+ res = set_cross_realm_princs(ipasam_state, td->domain_name, - trustpw, td->trust_direction); - memset(trustpw, 0, strlen(trustpw)); - if (!res) { -@@ -2585,9 +2628,9 @@ done: - return status; - } - --static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn) -+static int delete_subtree(struct ipasam_private *ipasam_state, char* dn) - { -- LDAP *state = priv2ld(ldap_state); -+ LDAP *state = priv2ld(ipasam_state); - int rc; - char *filter = NULL; - int scope = LDAP_SCOPE_SUBTREE; -@@ -2601,7 +2644,7 @@ static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn) - return LDAP_NO_MEMORY; - } - -- rc = smbldap_search(ldap_state->smbldap_state, dn, scope, filter, NULL, 0, &result); -+ rc = smbldap_search(ipasam_state->ldap_state, dn, scope, filter, NULL, 0, &result); - TALLOC_FREE(filter); - - if (rc != LDAP_SUCCESS) { -@@ -2620,13 +2663,13 @@ static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn) - entry_dn = get_dn(dn, state, entry); - /* remove child entries */ - if ((entry_dn != NULL) && (strcmp(entry_dn, dn) != 0)) { -- rc = smbldap_delete(ldap_state->smbldap_state, entry_dn); -+ rc = smbldap_delete(ipasam_state->ldap_state, entry_dn); - if (rc != LDAP_SUCCESS) { - return rc; - } - } - } -- rc = smbldap_delete(ldap_state->smbldap_state, dn); -+ rc = smbldap_delete(ipasam_state->ldap_state, dn); - - /* caller will destroy dn */ - return rc; -@@ -2636,8 +2679,8 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods, - const char *domain) - { - int ret; -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - LDAPMessage *entry = NULL; - char *dn; - const char *domain_name; -@@ -2649,7 +2692,7 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods, - return NT_STATUS_NO_MEMORY; - } - -- if (!get_trusted_domain_by_name_int(ldap_state, tmp_ctx, domain, -+ if (!get_trusted_domain_by_name_int(ipasam_state, tmp_ctx, domain, - &entry)) { - status = NT_STATUS_UNSUCCESSFUL; - goto done; -@@ -2662,14 +2705,14 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods, - goto done; - } - -- dn = get_dn(tmp_ctx, priv2ld(ldap_state), entry); -+ dn = get_dn(tmp_ctx, priv2ld(ipasam_state), entry); - if (dn == NULL) { - DEBUG(0,("ipasam_del_trusted_domain: Out of memory!\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - -- domain_name = get_single_attribute(tmp_ctx, priv2ld(ldap_state), entry, -+ domain_name = get_single_attribute(tmp_ctx, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_TRUST_PARTNER); - if (domain_name == NULL) { - DEBUG(1, ("Attribute %s not present.\n", -@@ -2678,16 +2721,16 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods, - goto done; - } - -- if (!del_cross_realm_princs(ldap_state, domain_name)) { -+ if (!del_cross_realm_princs(ipasam_state, domain_name)) { - DEBUG(1, ("error deleting cross realm principals!\n")); - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } - -- ret = smbldap_delete(ldap_state->smbldap_state, dn); -+ ret = smbldap_delete(ipasam_state->ldap_state, dn); - if (ret == LDAP_NOT_ALLOWED_ON_NONLEAF) { - /* delete_subtree will use 'dn' as temporary context too */ -- ret = delete_subtree(ldap_state, dn); -+ ret = delete_subtree(ipasam_state, dn); - } - - if (ret != LDAP_SUCCESS) { -@@ -2707,8 +2750,8 @@ static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods, - struct pdb_trusted_domain ***domains) - { - int rc; -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - char *filter = NULL; - int scope = LDAP_SCOPE_SUBTREE; - LDAPMessage *result = NULL; -@@ -2721,8 +2764,8 @@ static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods, - return NT_STATUS_NO_MEMORY; - } - -- rc = smbldap_search(ldap_state->smbldap_state, -- ldap_state->ipasam_privates->trust_dn, -+ rc = smbldap_search(ipasam_state->ldap_state, -+ ipasam_state->trust_dn, - scope, filter, NULL, 0, &result); - TALLOC_FREE(filter); - -@@ -2746,13 +2789,13 @@ static NTSTATUS ipasam_enum_trusted_domains(struct pdb_methods *methods, - return NT_STATUS_NO_MEMORY; - } - -- for (entry = ldap_first_entry(priv2ld(ldap_state), result); -+ for (entry = ldap_first_entry(priv2ld(ipasam_state), result); - entry != NULL; -- entry = ldap_next_entry(priv2ld(ldap_state), entry)) -+ entry = ldap_next_entry(priv2ld(ipasam_state), entry)) - { - struct pdb_trusted_domain *dom_info; - -- if (!fill_pdb_trusted_domain(*domains, ldap_state, entry, -+ if (!fill_pdb_trusted_domain(*domains, ipasam_state, entry, - &dom_info)) { - talloc_free(*domains); - return NT_STATUS_UNSUCCESSFUL; -@@ -2830,7 +2873,7 @@ static uint32_t pdb_ipasam_capabilities(struct pdb_methods *methods) - - static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, - LDAPMessage *entry, -- struct ldapsam_privates *ldap_state) -+ struct ipasam_private *ipasam_state) - { - NTSTATUS status; - struct dom_sid *u_sid; -@@ -2847,7 +2890,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, - return false; - } - -- if (!pdb_set_domain(user, ldap_state->domain_name, PDB_DEFAULT)) { -+ if (!pdb_set_domain(user, ipasam_state->domain_name, PDB_DEFAULT)) { - return false; - } - -@@ -2864,14 +2907,14 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, - return false; - } - -- sid_str = get_single_attribute(user, priv2ld(ldap_state), entry, -+ sid_str = get_single_attribute(user, priv2ld(ipasam_state), entry, - LDAP_ATTRIBUTE_SID); - if (sid_str == NULL) { - DEBUG(5, ("Missing SID for trusted domain object.\n")); - return false; - } - -- err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx, -+ err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx, - sid_str, &u_sid); - if (err != IDMAP_SUCCESS) { - DEBUG(10, ("Could not convert string %s to sid.\n", sid_str)); -@@ -2886,7 +2929,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td, - } - talloc_free(u_sid); - -- g_sid = &ldap_state->ipasam_privates->fallback_primary_group; -+ g_sid = &ipasam_state->fallback_primary_group; - if (!pdb_set_group_sid(user, g_sid, PDB_SET)) { - return false; - } -@@ -2916,7 +2959,7 @@ done: - return res; - } - --static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state, -+static bool ipasam_nthash_retrieve(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - char *entry_dn, - DATA_BLOB *nthash) -@@ -2926,13 +2969,13 @@ static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state, - LDAPMessage *result; - LDAPMessage *entry = NULL; - int count; -- struct smbldap_state *smbldap_state = ldap_state->smbldap_state; -+ struct smbldap_state *ldap_state = ipasam_state->ldap_state; - const char *attr_list[] = { - LDAP_ATTRIBUTE_NTHASH, - NULL - }; - -- ret = smbldap_search(smbldap_state, entry_dn, -+ ret = smbldap_search(ldap_state, entry_dn, - LDAP_SCOPE_BASE, "(objectclass=*)", attr_list, 0, - &result); - if (ret != LDAP_SUCCESS) { -@@ -2941,7 +2984,7 @@ static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state, - return false; - } - -- count = ldap_count_entries(smbldap_state->ldap_struct, result); -+ count = ldap_count_entries(priv2ld(ipasam_state), result); - - if (count != 1) { - DEBUG(1, ("Unexpected number of results [%d] for NT hash " -@@ -2950,7 +2993,7 @@ static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state, - return false; - } - -- entry = ldap_first_entry(smbldap_state->ldap_struct, result); -+ entry = ldap_first_entry(priv2ld(ipasam_state), result); - if (entry == NULL) { - DEBUG(0, ("Could not get entry\n")); - ldap_msgfree(result); -@@ -2958,14 +3001,14 @@ static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state, - } - - retval = smbldap_talloc_single_blob(mem_ctx, -- smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_NTHASH, - nthash); - ldap_msgfree(result); - return retval; - } - --static bool ipasam_nthash_regen(struct ldapsam_privates *ldap_state, -+static bool ipasam_nthash_regen(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - char * entry_dn) - { -@@ -2975,14 +3018,14 @@ static bool ipasam_nthash_regen(struct ldapsam_privates *ldap_state, - smbldap_set_mod(&mods, LDAP_MOD_ADD, LDAP_ATTRIBUTE_NTHASH, "MagicRegen"); - smbldap_talloc_autofree_ldapmod(mem_ctx, mods); - -- ret = smbldap_modify(ldap_state->smbldap_state, entry_dn, mods); -+ ret = smbldap_modify(ipasam_state->ldap_state, entry_dn, mods); - if (ret != LDAP_SUCCESS) { - DEBUG(5, ("ipasam: attempt to regen ipaNTHash failed\n")); - } - return (ret == LDAP_SUCCESS); - } - --static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state, -+static int ipasam_get_sid_by_gid(struct ipasam_private *ipasam_state, - uint32_t gid, - struct dom_sid *_sid) - { -@@ -3014,8 +3057,8 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state, - goto done; - } - -- ret = smbldap_search(ldap_state->smbldap_state, -- ldap_state->ipasam_privates->base_dn, -+ ret = smbldap_search(ipasam_state->ldap_state, -+ ipasam_state->base_dn, - LDAP_SCOPE_SUBTREE,filter, NULL, 0, - &result); - if (ret != LDAP_SUCCESS) { -@@ -3023,28 +3066,27 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state, - goto done; - } - -- count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, -- result); -+ count = ldap_count_entries(priv2ld(ipasam_state), result); - if (count != 1) { - ret = ENOENT; - goto done; - } - -- entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); -+ entry = ldap_first_entry(priv2ld(ipasam_state), result); - if (entry == NULL) { - ret = ENOENT; - goto done; - } - - sid_str = get_single_attribute(tmp_ctx, -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_SID); - if (sid_str == NULL) { - ret = ENOENT; - goto done; - } - -- err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx, -+ err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx, - sid_str, &sid); - if (err != IDMAP_SUCCESS) { - ret = EFAULT; -@@ -3067,7 +3109,7 @@ done: - } - - static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, -- struct ldapsam_privates *ldap_state, -+ struct ipasam_private *ipasam_state, - LDAPMessage *entry, - struct dom_sid **_group_sid) - { -@@ -3082,14 +3124,14 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, - return ENOMEM; - } - -- if (!get_uint32_t_from_ldap_msg(ldap_state, entry, -+ if (!get_uint32_t_from_ldap_msg(ipasam_state, entry, - LDAP_ATTRIBUTE_UIDNUMBER, &uid)) { - ret = ENOENT; - DEBUG(1, ("No uidnumber attribute found for this user!\n")); - goto done; - } - -- if (!get_uint32_t_from_ldap_msg(ldap_state, entry, -+ if (!get_uint32_t_from_ldap_msg(ipasam_state, entry, - LDAP_ATTRIBUTE_GIDNUMBER, &gid)) { - ret = ENOENT; - DEBUG(1, ("No gidnumber attribute found for this user!\n")); -@@ -3104,11 +3146,11 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, - - if (uid == gid) { /* User private group, use default fallback group */ - sid_copy(group_sid, -- &ldap_state->ipasam_privates->fallback_primary_group); -+ &ipasam_state->fallback_primary_group); - ret = 0; - goto done; - } else { -- ret = ipasam_get_sid_by_gid(ldap_state, gid, group_sid); -+ ret = ipasam_get_sid_by_gid(ipasam_state, gid, group_sid); - if (ret != 0) { - goto done; - } -@@ -3130,7 +3172,7 @@ done: - return ret; - } - --static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, -+static bool init_sam_from_ldap(struct ipasam_private *ipasam_state, - struct samu * sampass, - LDAPMessage * entry) - { -@@ -3153,18 +3195,18 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - if (!tmp_ctx) { - return false; - } -- if (sampass == NULL || ldap_state == NULL || entry == NULL) { -+ if (sampass == NULL || ipasam_state == NULL || entry == NULL) { - DEBUG(0, ("init_sam_from_ldap: NULL parameters found!\n")); - goto fn_exit; - } - -- if (priv2ld(ldap_state) == NULL) { -- DEBUG(0, ("init_sam_from_ldap: ldap_state->smbldap_state->" -+ if (priv2ld(ipasam_state) == NULL) { -+ DEBUG(0, ("init_sam_from_ldap: ipasam_state->ldap_state->" - "ldap_struct is NULL!\n")); - goto fn_exit; - } - -- if (!(username = smbldap_talloc_first_attribute(priv2ld(ldap_state), -+ if (!(username = smbldap_talloc_first_attribute(priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_UID, tmp_ctx))) { - DEBUG(1, ("init_sam_from_ldap: No uid attribute found for " - "this user!\n")); -@@ -3178,7 +3220,7 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - goto fn_exit; - } - -- domain = talloc_strdup(tmp_ctx, ldap_state->domain_name); -+ domain = talloc_strdup(tmp_ctx, ipasam_state->domain_name); - if (!domain) { - goto fn_exit; - } -@@ -3189,12 +3231,12 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - pdb_set_nt_username(sampass, nt_username, PDB_SET); - - if ((temp = smbldap_talloc_single_attribute( -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_SECURITY_IDENTIFIER, - tmp_ctx)) != NULL) { - pdb_set_user_sid_from_string(sampass, temp, PDB_SET); - -- status = ipasam_get_primary_group_sid(tmp_ctx, ldap_state, -+ status = ipasam_get_primary_group_sid(tmp_ctx, ipasam_state, - entry, &group_sid); - if (status != 0) { - goto fn_exit; -@@ -3204,7 +3246,7 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - } - - fullname = smbldap_talloc_single_attribute( -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, - LDAP_ATTRIBUTE_CN, - tmp_ctx); -@@ -3213,28 +3255,28 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - } - - dir_drive = smbldap_talloc_single_attribute( -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_HOME_DRIVE, tmp_ctx); - if (dir_drive) { - pdb_set_dir_drive(sampass, dir_drive, PDB_SET); - } - - homedir = smbldap_talloc_single_attribute( -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_HOME_PATH, tmp_ctx); - if (homedir) { - pdb_set_homedir(sampass, homedir, PDB_SET); - } - - logon_script = smbldap_talloc_single_attribute( -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_LOGON_SCRIPT, tmp_ctx); - if (logon_script) { - pdb_set_logon_script(sampass, logon_script, PDB_SET); - } - - profile_path = smbldap_talloc_single_attribute( -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_PROFILE_PATH, tmp_ctx); - if (profile_path) { - pdb_set_profile_path(sampass, profile_path, PDB_SET); -@@ -3244,7 +3286,7 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - pdb_set_acct_ctrl(sampass, ACB_NORMAL, PDB_SET); - - retval = smbldap_talloc_single_blob(tmp_ctx, -- ldap_state->smbldap_state->ldap_struct, -+ priv2ld(ipasam_state), - entry, LDAP_ATTRIBUTE_NTHASH, - &nthash); - if (!retval) { -@@ -3253,12 +3295,12 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state, - * IPA 389-ds plugin allows to ask for it by setting - * ipaNTHash to MagicRegen value. - * */ -- temp = smbldap_talloc_dn(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry); -+ temp = smbldap_talloc_dn(tmp_ctx, priv2ld(ipasam_state), entry); - if (temp) { -- retval = ipasam_nthash_regen(ldap_state, -+ retval = ipasam_nthash_regen(ipasam_state, - tmp_ctx, temp); - if (retval) { -- retval = ipasam_nthash_retrieve(ldap_state, -+ retval = ipasam_nthash_retrieve(ipasam_state, - tmp_ctx, temp, &nthash); - } - } -@@ -3293,8 +3335,8 @@ static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods, - const char *sname, int lastidx) - { - char *dom_name; -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *) methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - TALLOC_CTX *tmp_ctx; - struct pdb_trusted_domain *td; - NTSTATUS status; -@@ -3316,7 +3358,7 @@ static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods, - } - dom_name[lastidx] = '\0'; - -- if (!get_trusted_domain_by_name_int(ldap_state, tmp_ctx, dom_name, -+ if (!get_trusted_domain_by_name_int(ipasam_state, tmp_ctx, dom_name, - &entry)) { - status = NT_STATUS_UNSUCCESSFUL; - goto done; -@@ -3328,12 +3370,12 @@ static NTSTATUS getsam_interdom_trust_account(struct pdb_methods *methods, - goto done; - } - -- if (!fill_pdb_trusted_domain(tmp_ctx, ldap_state, entry, &td)) { -+ if (!fill_pdb_trusted_domain(tmp_ctx, ipasam_state, entry, &td)) { - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } - -- if (!init_sam_from_td(user, td, entry, ldap_state)) { -+ if (!init_sam_from_td(user, td, entry, ipasam_state)) { - DEBUG(5, ("init_sam_from_td failed.\n")); - status = NT_STATUS_NO_SUCH_USER; - goto done; -@@ -3346,12 +3388,12 @@ done: - return status; - } - --static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods, -+static NTSTATUS ipasam_getsampwnam(struct pdb_methods *methods, - struct samu *user, - const char *sname) - { -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *) methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(methods->private_data, struct ipasam_private); - int lastidx; - TALLOC_CTX *tmp_ctx; - NTSTATUS status; -@@ -3398,8 +3440,8 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods, - goto done; - } - -- ret = smbldap_search(ldap_state->smbldap_state, -- ldap_state->ipasam_privates->base_dn, -+ ret = smbldap_search(ipasam_state->ldap_state, -+ ipasam_state->base_dn, - LDAP_SCOPE_SUBTREE,filter, NULL, 0, - &result); - if (ret != LDAP_SUCCESS) { -@@ -3407,20 +3449,19 @@ static NTSTATUS ldapsam_getsampwnam(struct pdb_methods *methods, - goto done; - } - -- count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, -- result); -+ count = ldap_count_entries(priv2ld(ipasam_state), result); - if (count != 1) { - status = NT_STATUS_NO_SUCH_USER; - goto done; - } - -- entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, result); -+ entry = ldap_first_entry(priv2ld(ipasam_state), result); - if (entry == NULL) { - status = NT_STATUS_NO_SUCH_USER; - goto done; - } - -- if (!init_sam_from_ldap(ldap_state, user, entry)) { -+ if (!init_sam_from_ldap(ipasam_state, user, entry)) { - status = NT_STATUS_NO_SUCH_USER; - goto done; - } -@@ -3507,8 +3548,8 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd - TALLOC_CTX *mem_ctx) - { - struct pdb_domain_info *info; -- struct ldapsam_privates *ldap_state = -- (struct ldapsam_privates *)pdb_methods->private_data; -+ struct ipasam_private *ipasam_state = -+ talloc_get_type_abort(pdb_methods->private_data, struct ipasam_private); - char sid_buf[24]; - DATA_BLOB sid_blob; - NTSTATUS status; -@@ -3519,24 +3560,24 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd - return NULL; - } - -- info->name = talloc_strdup(info, ldap_state->ipasam_privates->flat_name); -+ info->name = talloc_strdup(info, ipasam_state->flat_name); - if (info->name == NULL) { - DEBUG(1, ("talloc_strdup domain_name failed\n")); - goto fail; - } - -- status = ipasam_get_domain_name(ldap_state, info, &info->dns_domain); -+ status = ipasam_get_domain_name(ipasam_state, info, &info->dns_domain); - if (!NT_STATUS_IS_OK(status) || (info->dns_domain == NULL)) { - goto fail; - } - info->dns_forest = talloc_strdup(info, info->dns_domain); - - /* we expect a domain SID to have 4 sub IDs */ -- if (ldap_state->domain_sid.num_auths != 4) { -+ if (ipasam_state->domain_sid.num_auths != 4) { - goto fail; - } - -- sid_copy(&info->sid, &ldap_state->domain_sid); -+ sid_copy(&info->sid, &ipasam_state->domain_sid); - - if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) { - goto fail; -@@ -3561,19 +3602,19 @@ fail: - - static void ipasam_free_private_data(void **vp) - { -- struct ldapsam_privates **ldap_state = (struct ldapsam_privates **)vp; -+ struct ipasam_private **ipasam_state = (struct ipasam_private **)vp; - -- smbldap_free_struct(&(*ldap_state)->smbldap_state); -+ smbldap_free_struct(&(*ipasam_state)->ldap_state); - -- if ((*ldap_state)->result != NULL) { -- ldap_msgfree((*ldap_state)->result); -- (*ldap_state)->result = NULL; -+ if ((*ipasam_state)->result != NULL) { -+ ldap_msgfree((*ipasam_state)->result); -+ (*ipasam_state)->result = NULL; - } -- if ((*ldap_state)->domain_dn != NULL) { -- SAFE_FREE((*ldap_state)->domain_dn); -+ if ((*ipasam_state)->domain_dn != NULL) { -+ SAFE_FREE((*ipasam_state)->domain_dn); - } - -- *ldap_state = NULL; -+ *ipasam_state = NULL; - - /* No need to free any further, as it is talloc()ed */ - } -@@ -3595,10 +3636,12 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx, - NULL}; - LDAPMessage *result; - LDAPMessage *entry; -+ LDAP *ld = NULL; - enum idmap_error_code err; - struct dom_sid *fallback_group_sid; - -- dn = get_single_attribute(mem_ctx, ldap_state->ldap_struct, -+ ld = _smbldap_get_ldap(ldap_state); -+ dn = get_single_attribute(mem_ctx, ld, - dom_entry, - LDAP_ATTRIBUTE_FALLBACK_PRIMARY_GROUP); - if (dn == NULL) { -@@ -3615,14 +3658,15 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx, - return NULL; - } - -- entry = ldap_first_entry(ldap_state->ldap_struct, result); -+ ld = _smbldap_get_ldap(ldap_state); -+ entry = ldap_first_entry(ld, result); - if (entry == NULL) { - DEBUG(0, ("Could not get fallback group entry\n")); - ldap_msgfree(result); - return NULL; - } - -- sid = get_single_attribute(mem_ctx, ldap_state->ldap_struct, -+ sid = get_single_attribute(mem_ctx, ld, - entry, LDAP_ATTRIBUTE_SID); - if (sid == NULL) { - DEBUG(0, ("Missing mandatory attribute %s.\n", -@@ -3640,7 +3684,7 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx, - } - talloc_free(sid); - -- gidnumber = get_single_attribute(mem_ctx, ldap_state->ldap_struct, -+ gidnumber = get_single_attribute(mem_ctx, ld, - entry, LDAP_ATTRIBUTE_GIDNUMBER); - if (gidnumber == NULL) { - DEBUG(0, ("Missing mandatory attribute %s.\n", -@@ -3679,7 +3723,7 @@ static NTSTATUS ipasam_search_domain_info(struct smbldap_state *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- count = ldap_count_entries(ldap_state->ldap_struct, *result); -+ count = ldap_count_entries(_smbldap_get_ldap(ldap_state), *result); - - if (count == 1) { - return NT_STATUS_OK; -@@ -3691,12 +3735,13 @@ static NTSTATUS ipasam_search_domain_info(struct smbldap_state *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - --static NTSTATUS ipasam_get_base_dn(struct smbldap_state *smbldap_state, -+static NTSTATUS ipasam_get_base_dn(struct smbldap_state *ldap_state, - TALLOC_CTX *mem_ctx, char **base_dn) - { - int ret; - LDAPMessage *result; - LDAPMessage *entry = NULL; -+ LDAP *ld = NULL; - int count; - char *nc; - const char *attr_list[] = { -@@ -3705,7 +3750,7 @@ static NTSTATUS ipasam_get_base_dn(struct smbldap_state *smbldap_state, - NULL - }; - -- ret = smbldap_search(smbldap_state, "", LDAP_SCOPE_BASE, -+ ret = smbldap_search(ldap_state, "", LDAP_SCOPE_BASE, - "(objectclass=*)", attr_list, 0, &result); - if (ret != LDAP_SUCCESS) { - DEBUG(1, ("Failed to get base DN from RootDSE: %s\n", -@@ -3713,7 +3758,8 @@ static NTSTATUS ipasam_get_base_dn(struct smbldap_state *smbldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- count = ldap_count_entries(smbldap_state->ldap_struct, result); -+ ld = _smbldap_get_ldap(ldap_state); -+ count = ldap_count_entries(ld, result); - - if (count != 1) { - DEBUG(1, ("Unexpected number of results [%d] for base DN " -@@ -3722,15 +3768,14 @@ static NTSTATUS ipasam_get_base_dn(struct smbldap_state *smbldap_state, - return NT_STATUS_OK; - } - -- entry = ldap_first_entry(smbldap_state->ldap_struct, -- result); -+ entry = ldap_first_entry(ld, result); - if (entry == NULL) { - DEBUG(0, ("Could not get RootDSE entry\n")); - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - -- nc = get_single_attribute(mem_ctx, smbldap_state->ldap_struct, entry, -+ nc = get_single_attribute(mem_ctx, ld, entry, - "defaultNamingContext"); - if (nc != NULL) { - *base_dn = nc; -@@ -3738,7 +3783,7 @@ static NTSTATUS ipasam_get_base_dn(struct smbldap_state *smbldap_state, - return NT_STATUS_OK; - } - -- nc = get_single_attribute(mem_ctx, smbldap_state->ldap_struct, entry, -+ nc = get_single_attribute(mem_ctx, ld, entry, - "namingContexts"); - if (nc != NULL) { - *base_dn = nc; -@@ -3750,23 +3795,24 @@ static NTSTATUS ipasam_get_base_dn(struct smbldap_state *smbldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - --static NTSTATUS ipasam_get_domain_name(struct ldapsam_privates *ldap_state, -+static NTSTATUS ipasam_get_domain_name(struct ipasam_private *ipasam_state, - TALLOC_CTX *mem_ctx, - char **domain_name) - { - int ret; - LDAPMessage *result; - LDAPMessage *entry = NULL; -+ LDAP *ld = NULL; - int count; - char *cn; -- struct smbldap_state *smbldap_state = ldap_state->smbldap_state; -+ struct smbldap_state *ldap_state = ipasam_state->ldap_state; - const char *attr_list[] = { - LDAP_ATTRIBUTE_ASSOCIATED_DOMAIN, - NULL - }; - -- ret = smbldap_search(smbldap_state, -- ldap_state->ipasam_privates->base_dn, -+ ret = smbldap_search(ldap_state, -+ ipasam_state->base_dn, - LDAP_SCOPE_BASE, - "objectclass=" LDAP_OBJ_DOMAINRELATED, attr_list, 0, - &result); -@@ -3776,7 +3822,8 @@ static NTSTATUS ipasam_get_domain_name(struct ldapsam_privates *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- count = ldap_count_entries(smbldap_state->ldap_struct, result); -+ ld = _smbldap_get_ldap(ldap_state); -+ count = ldap_count_entries(ld, result); - - if (count != 1) { - DEBUG(1, ("Unexpected number of results [%d] for domain name " -@@ -3785,14 +3832,14 @@ static NTSTATUS ipasam_get_domain_name(struct ldapsam_privates *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- entry = ldap_first_entry(smbldap_state->ldap_struct, result); -+ entry = ldap_first_entry(ld, result); - if (entry == NULL) { - DEBUG(0, ("Could not get domainRelatedObject entry\n")); - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - -- cn = get_single_attribute(mem_ctx, smbldap_state->ldap_struct, entry, -+ cn = get_single_attribute(mem_ctx, ld, entry, - LDAP_ATTRIBUTE_ASSOCIATED_DOMAIN); - if (cn == NULL) { - ldap_msgfree(result); -@@ -3804,33 +3851,33 @@ static NTSTATUS ipasam_get_domain_name(struct ldapsam_privates *ldap_state, - return NT_STATUS_OK; - } - --static NTSTATUS ipasam_get_enctypes(struct ldapsam_privates *ldap_state, -- TALLOC_CTX *mem_ctx, -+static NTSTATUS ipasam_get_enctypes(struct ipasam_private *ipasam_state, - uint32_t *enctypes) - { - int ret; - LDAPMessage *result; - LDAPMessage *entry = NULL; -+ LDAP *ld = NULL; - int count, i; - char **enctype_list, *dn; - krb5_enctype enctype; - krb5_error_code err; -- struct smbldap_state *smbldap_state = ldap_state->smbldap_state; -+ struct smbldap_state *ldap_state = ipasam_state->ldap_state; - const char *attr_list[] = { - "krbDefaultEncSaltTypes", - NULL - }; - -- dn = talloc_asprintf(mem_ctx, "cn=%s,cn=kerberos,%s", -- ldap_state->ipasam_privates->realm, -- ldap_state->ipasam_privates->base_dn); -+ dn = talloc_asprintf(ipasam_state, "cn=%s,cn=kerberos,%s", -+ ipasam_state->realm, -+ ipasam_state->base_dn); - - if (dn == NULL) { - DEBUG(1, ("Failed to construct DN to the realm's kerberos container\n")); - return NT_STATUS_UNSUCCESSFUL; - } - -- ret = smbldap_search(smbldap_state, dn, LDAP_SCOPE_BASE, -+ ret = smbldap_search(ldap_state, dn, LDAP_SCOPE_BASE, - "objectclass=krbrealmcontainer", attr_list, 0, - &result); - if (ret != LDAP_SUCCESS) { -@@ -3840,7 +3887,8 @@ static NTSTATUS ipasam_get_enctypes(struct ldapsam_privates *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- count = ldap_count_entries(smbldap_state->ldap_struct, result); -+ ld = _smbldap_get_ldap(ldap_state); -+ count = ldap_count_entries(ld, result); - - if (count != 1) { - DEBUG(1, ("Unexpected number of results [%d] for realm " -@@ -3850,7 +3898,7 @@ static NTSTATUS ipasam_get_enctypes(struct ldapsam_privates *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- entry = ldap_first_entry(smbldap_state->ldap_struct, result); -+ entry = ldap_first_entry(ld, result); - if (entry == NULL) { - DEBUG(0, ("Could not get krbrealmcontainer entry\n")); - ldap_msgfree(result); -@@ -3858,7 +3906,7 @@ static NTSTATUS ipasam_get_enctypes(struct ldapsam_privates *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- enctype_list = get_attribute_values(dn, smbldap_state->ldap_struct, entry, -+ enctype_list = get_attribute_values(dn, ld, entry, - "krbDefaultEncSaltTypes", &count); - ldap_msgfree(result); - if (enctype_list == NULL) { -@@ -3904,23 +3952,23 @@ static NTSTATUS ipasam_get_enctypes(struct ldapsam_privates *ldap_state, - return NT_STATUS_OK; - } - --static NTSTATUS ipasam_get_realm(struct ldapsam_privates *ldap_state, -- TALLOC_CTX *mem_ctx, -+static NTSTATUS ipasam_get_realm(struct ipasam_private *ipasam_state, - char **realm) - { - int ret; - LDAPMessage *result; - LDAPMessage *entry = NULL; -+ LDAP *ld = NULL; - int count; - char *cn; -- struct smbldap_state *smbldap_state = ldap_state->smbldap_state; -+ struct smbldap_state *ldap_state = ipasam_state->ldap_state; - const char *attr_list[] = { - "cn", - NULL - }; - -- ret = smbldap_search(smbldap_state, -- ldap_state->ipasam_privates->base_dn, -+ ret = smbldap_search(ldap_state, -+ ipasam_state->base_dn, - LDAP_SCOPE_SUBTREE, - "objectclass=krbrealmcontainer", attr_list, 0, - &result); -@@ -3930,7 +3978,8 @@ static NTSTATUS ipasam_get_realm(struct ldapsam_privates *ldap_state, - return NT_STATUS_UNSUCCESSFUL; - } - -- count = ldap_count_entries(smbldap_state->ldap_struct, result); -+ ld = _smbldap_get_ldap(ldap_state); -+ count = ldap_count_entries(ld, result); - - if (count != 1) { - DEBUG(1, ("Unexpected number of results [%d] for realm " -@@ -3939,15 +3988,15 @@ static NTSTATUS ipasam_get_realm(struct ldapsam_privates *ldap_state, - return NT_STATUS_OK; - } - -- entry = ldap_first_entry(smbldap_state->ldap_struct, -- result); -+ entry = ldap_first_entry(ld, result); - if (entry == NULL) { - DEBUG(0, ("Could not get krbrealmcontainer entry\n")); - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - -- cn = get_single_attribute(mem_ctx, smbldap_state->ldap_struct, entry, -+ cn = get_single_attribute(ipasam_state, ld, -+ entry, - "cn"); - if (cn == NULL) { - ldap_msgfree(result); -@@ -3968,11 +4017,12 @@ static NTSTATUS ipasam_enum_upn_suffixes(struct pdb_methods *pdb_methods, - int ret; - LDAPMessage *result; - LDAPMessage *entry = NULL; -+ LDAP *ld = NULL; - int count, i; - char *realmdomains_dn = NULL; - char **domains = NULL; -- struct ldapsam_privates *ldap_state; -- struct smbldap_state *smbldap_state; -+ struct ipasam_private *ipasam_state; -+ struct smbldap_state *ldap_state; - const char *attr_list[] = { - LDAP_ATTRIBUTE_ASSOCIATED_DOMAIN, - NULL -@@ -3982,16 +4032,16 @@ static NTSTATUS ipasam_enum_upn_suffixes(struct pdb_methods *pdb_methods, - return NT_STATUS_UNSUCCESSFUL; - } - -- ldap_state = (struct ldapsam_privates *)pdb_methods->private_data; -- smbldap_state = ldap_state->smbldap_state; -+ ipasam_state = talloc_get_type_abort(pdb_methods->private_data, struct ipasam_private); -+ ldap_state = ipasam_state->ldap_state; - - realmdomains_dn = talloc_asprintf(mem_ctx, "%s,%s", LDAP_CN_REALM_DOMAINS, -- ldap_state->ipasam_privates->base_dn); -+ ipasam_state->base_dn); - if (realmdomains_dn == NULL) { - return NT_STATUS_NO_MEMORY; - } - -- ret = smbldap_search(smbldap_state, -+ ret = smbldap_search(ldap_state, - realmdomains_dn, - LDAP_SCOPE_BASE, - "objectclass=" LDAP_OBJ_DOMAINRELATED, attr_list, 0, -@@ -4002,7 +4052,8 @@ static NTSTATUS ipasam_enum_upn_suffixes(struct pdb_methods *pdb_methods, - return NT_STATUS_UNSUCCESSFUL; - } - -- count = ldap_count_entries(smbldap_state->ldap_struct, result); -+ ld = _smbldap_get_ldap(ldap_state); -+ count = ldap_count_entries(ld, result); - if (count != 1) { - DEBUG(1, ("Unexpected number of results [%d] for realm domains " - "search.\n", count)); -@@ -4010,14 +4061,14 @@ static NTSTATUS ipasam_enum_upn_suffixes(struct pdb_methods *pdb_methods, - return NT_STATUS_UNSUCCESSFUL; - } - -- entry = ldap_first_entry(smbldap_state->ldap_struct, result); -+ entry = ldap_first_entry(ld, result); - if (entry == NULL) { - DEBUG(0, ("Could not get domainRelatedObject entry\n")); - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - -- domains = get_attribute_values(mem_ctx, smbldap_state->ldap_struct, entry, -+ domains = get_attribute_values(mem_ctx, ld, entry, - LDAP_ATTRIBUTE_ASSOCIATED_DOMAIN, &count); - if (domains == NULL) { - ldap_msgfree(result); -@@ -4027,7 +4078,7 @@ static NTSTATUS ipasam_enum_upn_suffixes(struct pdb_methods *pdb_methods, - /* Since associatedDomain has attributeType MUST, there must be at least one domain */ - for (i = 0; i < count ; i++) { - /* TODO: use comparison function friendly to IDN */ -- if (strcasecmp(ldap_state->domain_name, domains[i]) == 0) { -+ if (strcasecmp(ipasam_state->domain_name, domains[i]) == 0) { - break; - } - } -@@ -4078,7 +4129,7 @@ static char *sec_key(TALLOC_CTX *mem_ctx, const char *d) - return res; - } - --static NTSTATUS save_sid_to_secret(struct ldapsam_privates *ldap_state) -+static NTSTATUS save_sid_to_secret(struct ipasam_private *ipasam_state) - { - char hostname[255]; - int ret; -@@ -4091,16 +4142,16 @@ static NTSTATUS save_sid_to_secret(struct ldapsam_privates *ldap_state) - return NT_STATUS_NO_MEMORY; - } - -- if (!secrets_store(sec_key(tmp_ctx, ldap_state->domain_name), -- &ldap_state->domain_sid, sizeof(struct dom_sid))) { -+ if (!secrets_store(sec_key(tmp_ctx, ipasam_state->domain_name), -+ &ipasam_state->domain_sid, sizeof(struct dom_sid))) { - DEBUG(1, ("Failed to store domain SID")); - status = NT_STATUS_UNSUCCESSFUL; - goto done; - } - - if (!secrets_store(sec_key(tmp_ctx, -- ldap_state->ipasam_privates->flat_name), -- &ldap_state->domain_sid, sizeof(struct dom_sid))) { -+ ipasam_state->flat_name), -+ &ipasam_state->domain_sid, sizeof(struct dom_sid))) { - DEBUG(1, ("Failed to store domain SID")); - status = NT_STATUS_UNSUCCESSFUL; - goto done; -@@ -4119,7 +4170,7 @@ static NTSTATUS save_sid_to_secret(struct ldapsam_privates *ldap_state) - } - - if (!secrets_store(sec_key(tmp_ctx, hostname), -- &ldap_state->domain_sid, sizeof(struct dom_sid))) { -+ &ipasam_state->domain_sid, sizeof(struct dom_sid))) { - DEBUG(1, ("Failed to store domain SID")); - status = NT_STATUS_UNSUCCESSFUL; - goto done; -@@ -4241,20 +4292,21 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo - krb5_creds in_creds; - - struct ipasam_sasl_interact_priv data; -- struct ipasam_privates *ipasam_private = NULL; -+ struct ipasam_private *ipasam_state = NULL; - int ret; - - memset(&data, 0, sizeof(struct ipasam_sasl_interact_priv)); - memset(&in_creds, 0, sizeof(krb5_creds)); - -- ipasam_private = (struct ipasam_privates*)ipasam_priv; -+ ipasam_state = talloc_get_type_abort(ipasam_priv, struct ipasam_private); - -- if ((ipasam_private->client_princ == NULL) || (ipasam_private->server_princ == NULL)) { -+ if ((ipasam_state->client_princ == NULL) || -+ (ipasam_state->server_princ == NULL)) { - DEBUG(0, ("bind_callback: ipasam service principals are not set, cannot use GSSAPI bind\n")); - return LDAP_LOCAL_ERROR; - } - -- data.name = ipasam_private->client_princ; -+ data.name = ipasam_state->client_princ; - data.name_len = strlen(data.name); - - rc = krb5_init_context(&data.context); -@@ -4281,14 +4333,14 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo - return LDAP_LOCAL_ERROR; - } - -- rc = krb5_parse_name(data.context, ipasam_private->client_princ, &in_creds.client); -+ rc = krb5_parse_name(data.context, ipasam_state->client_princ, &in_creds.client); - if (rc) { - krb5_free_principal(data.context, data.creds.client); - bind_callback_cleanup(&data, rc); - return LDAP_LOCAL_ERROR; - } - -- rc = krb5_parse_name(data.context, ipasam_private->server_princ, &in_creds.server); -+ rc = krb5_parse_name(data.context, ipasam_state->server_princ, &in_creds.server); - if (rc) { - krb5_free_principal(data.context, in_creds.server); - bind_callback_cleanup(&data, rc); -@@ -4357,7 +4409,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo - return ret; - } - --static NTSTATUS ipasam_generate_principals(struct ipasam_privates *privates) { -+static NTSTATUS ipasam_generate_principals(struct ipasam_private *ipasam_state) { - - krb5_error_code rc; - int ret; -@@ -4366,7 +4418,7 @@ static NTSTATUS ipasam_generate_principals(struct ipasam_privates *privates) { - char hostname[255]; - char *default_realm = NULL; - -- if (!privates) { -+ if (!ipasam_state) { - return status; - } - -@@ -4387,33 +4439,33 @@ static NTSTATUS ipasam_generate_principals(struct ipasam_privates *privates) { - goto done; - }; - -- if (privates->client_princ) { -- talloc_free(privates->client_princ); -- privates->client_princ = NULL; -+ if (ipasam_state->client_princ) { -+ talloc_free(ipasam_state->client_princ); -+ ipasam_state->client_princ = NULL; - } - -- privates->client_princ = talloc_asprintf(privates, -- "cifs/%s@%s", -- hostname, -- default_realm); -+ ipasam_state->client_princ = talloc_asprintf(ipasam_state, -+ "cifs/%s@%s", -+ hostname, -+ default_realm); - -- if (privates->client_princ == NULL) { -+ if (ipasam_state->client_princ == NULL) { - DEBUG(0, ("Failed to create ipasam client principal.\n")); - status = NT_STATUS_NO_MEMORY; - goto done; - } - -- if (privates->server_princ) { -- talloc_free(privates->server_princ); -- privates->server_princ = NULL; -+ if (ipasam_state->server_princ) { -+ talloc_free(ipasam_state->server_princ); -+ ipasam_state->server_princ = NULL; - } - -- privates->server_princ = talloc_asprintf(privates, -- "ldap/%s@%s", -- hostname, -- default_realm); -+ ipasam_state->server_princ = talloc_asprintf(ipasam_state, -+ "ldap/%s@%s", -+ hostname, -+ default_realm); - -- if (privates->server_princ == NULL) { -+ if (ipasam_state->server_princ == NULL) { - DEBUG(0, ("Failed to create ipasam server principal.\n")); - status = NT_STATUS_NO_MEMORY; - goto done; -@@ -4436,7 +4488,7 @@ done: - static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - const char *location) - { -- struct ldapsam_privates *ldap_state; -+ struct ipasam_private *ipasam_state; - - char *uri; - NTSTATUS status; -@@ -4458,25 +4510,18 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - - (*pdb_method)->name = "ipasam"; - -- if ( !(ldap_state = talloc_zero(*pdb_method, struct ldapsam_privates)) ) { -- DEBUG(0, ("pdb_init_ipasam: talloc() failed for ldapsam private_data!\n")); -- return NT_STATUS_NO_MEMORY; -- } -- -- ldap_state->ipasam_privates = talloc_zero(ldap_state, -- struct ipasam_privates); -- if (ldap_state->ipasam_privates == NULL) { -+ if ( !(ipasam_state = talloc_zero(*pdb_method, struct ipasam_private)) ) { -+ DEBUG(0, ("pdb_init_ipasam: talloc() failed for ipasam private_data!\n")); - return NT_STATUS_NO_MEMORY; - } -- ldap_state->is_ipa_ldap = true; - -- uri = talloc_strdup( NULL, location ); -+ uri = talloc_strdup(ipasam_state, location ); - if (uri == NULL) { - return NT_STATUS_NO_MEMORY; - } - trim_string( uri, "\"", "\"" ); - -- status = ipasam_generate_principals(ldap_state->ipasam_privates); -+ status = ipasam_generate_principals(ipasam_state); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to generate kerberos principal for LDAP authentication.\n")); -@@ -4484,11 +4529,11 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - } else { - /* We authenticate via GSSAPI and thus will use kerberos principal to bind our access */ - status = smbldap_init(*pdb_method, pdb_get_tevent_context(), -- uri, false, NULL, NULL, -- &ldap_state->smbldap_state); -+ uri, false, NULL, NULL, -+ &ipasam_state->ldap_state); - if (NT_STATUS_IS_OK(status)) { -- ldap_state->smbldap_state->bind_callback = bind_callback; -- ldap_state->smbldap_state->bind_callback_data = ldap_state->ipasam_privates; -+ ipasam_state->ldap_state->bind_callback = bind_callback; -+ ipasam_state->ldap_state->bind_callback_data = ipasam_state; - } - } - -@@ -4497,47 +4542,46 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - return status; - } - -- (*pdb_method)->private_data = ldap_state; -+ (*pdb_method)->private_data = ipasam_state; - (*pdb_method)->free_private_data = ipasam_free_private_data; - -- status = ipasam_get_base_dn(ldap_state->smbldap_state, -- ldap_state->ipasam_privates, -- &ldap_state->ipasam_privates->base_dn); -+ status = ipasam_get_base_dn(ipasam_state->ldap_state, -+ ipasam_state, -+ &ipasam_state->base_dn); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to get base DN.\n")); - return status; - } - -- if (!(smbldap_has_extension(priv2ld(ldap_state), IPA_KEYTAB_SET_OID) || -- smbldap_has_extension(priv2ld(ldap_state), IPA_KEYTAB_SET_OID_OLD))) { -+ if (!(smbldap_has_extension(priv2ld(ipasam_state), IPA_KEYTAB_SET_OID) || -+ smbldap_has_extension(priv2ld(ipasam_state), IPA_KEYTAB_SET_OID_OLD))) { - DEBUG(0, ("Server is not an IPA server.\n")); - return NT_STATUS_INVALID_PARAMETER; - } - -- ldap_state->ipasam_privates->trust_dn = talloc_asprintf( -- ldap_state->ipasam_privates, -- "cn=ad,cn=trusts,%s", -- ldap_state->ipasam_privates->base_dn); -- if (ldap_state->ipasam_privates->trust_dn == NULL) { -+ ipasam_state->trust_dn = talloc_asprintf(ipasam_state, -+ "cn=ad,cn=trusts,%s", -+ ipasam_state->base_dn); -+ if (ipasam_state->trust_dn == NULL) { - DEBUG(0, ("Failed to create trsut DN.\n")); - return NT_STATUS_NO_MEMORY; - } - -- status = ipasam_get_domain_name(ldap_state, ldap_state, -- (char**) &ldap_state->domain_name); -+ status = ipasam_get_domain_name(ipasam_state, ipasam_state, -+ (char**) &ipasam_state->domain_name); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to get domain name.\n")); - return status; - } - -- status = ipasam_get_realm(ldap_state, ldap_state->ipasam_privates, -- &ldap_state->ipasam_privates->realm); -+ status = ipasam_get_realm(ipasam_state, -+ &ipasam_state->realm); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to get realm.\n")); - return status; - } - -- status = ipasam_search_domain_info(ldap_state->smbldap_state, &result); -+ status = ipasam_search_domain_info(ipasam_state->ldap_state, &result); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("pdb_init_ldapsam: WARNING: Could not get domain " -@@ -4546,8 +4590,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - -- entry = ldap_first_entry(ldap_state->smbldap_state->ldap_struct, -- result); -+ entry = ldap_first_entry(priv2ld(ipasam_state), result); - if (entry == NULL) { - DEBUG(0, ("pdb_init_ipasam: Could not get domain info " - "entry\n")); -@@ -4555,39 +4598,38 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - return NT_STATUS_UNSUCCESSFUL; - } - -- dn = get_dn(ldap_state, ldap_state->smbldap_state->ldap_struct, entry); -+ dn = get_dn(ipasam_state, priv2ld(ipasam_state), entry); - if (dn == NULL) { - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - -- ldap_state->domain_dn = smb_xstrdup(dn); -+ ipasam_state->domain_dn = smb_xstrdup(dn); - talloc_free(dn); - -- ldap_state->ipasam_privates->flat_name = get_single_attribute( -- ldap_state, -- ldap_state->smbldap_state->ldap_struct, -- entry, -- LDAP_ATTRIBUTE_FLAT_NAME); -- if (ldap_state->ipasam_privates->flat_name == NULL) { -+ ipasam_state->flat_name = get_single_attribute(ipasam_state, -+ priv2ld(ipasam_state), -+ entry, -+ LDAP_ATTRIBUTE_FLAT_NAME); -+ if (ipasam_state->flat_name == NULL) { - DEBUG(0, ("Missing mandatory attribute %s.\n", - LDAP_ATTRIBUTE_FLAT_NAME)); - ldap_msgfree(result); - return NT_STATUS_INVALID_PARAMETER; - } - -- err = sss_idmap_init(idmap_talloc, ldap_state->ipasam_privates, -+ err = sss_idmap_init(idmap_talloc, ipasam_state, - idmap_talloc_free, -- &ldap_state->ipasam_privates->idmap_ctx); -+ &ipasam_state->idmap_ctx); - if (err != IDMAP_SUCCESS) { - DEBUG(1, ("Failed to setup idmap context.\n")); - ldap_msgfree(result); - return NT_STATUS_UNSUCCESSFUL; - } - -- fallback_group_sid = get_fallback_group_sid(ldap_state, -- ldap_state->smbldap_state, -- ldap_state->ipasam_privates->idmap_ctx, -+ fallback_group_sid = get_fallback_group_sid(ipasam_state, -+ ipasam_state->ldap_state, -+ ipasam_state->idmap_ctx, - result, - &fallback_group_gid_str); - if (fallback_group_sid == NULL) { -@@ -4595,8 +4637,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - ldap_msgfree(result); - return NT_STATUS_INVALID_PARAMETER; - } -- sid_copy(&ldap_state->ipasam_privates->fallback_primary_group, -- fallback_group_sid); -+ sid_copy(&ipasam_state->fallback_primary_group, fallback_group_sid); - talloc_free(fallback_group_sid); - - if (fallback_group_gid_str == NULL) { -@@ -4604,17 +4645,15 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - ldap_msgfree(result); - return NT_STATUS_INVALID_PARAMETER; - } -- ldap_state->ipasam_privates->fallback_primary_group_gid_str = -- fallback_group_gid_str; -+ ipasam_state->fallback_primary_group_gid_str = fallback_group_gid_str; - -- domain_sid_string = get_single_attribute( -- ldap_state, -- ldap_state->smbldap_state->ldap_struct, -- entry, -- LDAP_ATTRIBUTE_SID); -+ domain_sid_string = get_single_attribute(ipasam_state, -+ priv2ld(ipasam_state), -+ entry, -+ LDAP_ATTRIBUTE_SID); - - if (domain_sid_string) { -- err = sss_idmap_sid_to_smb_sid(ldap_state->ipasam_privates->idmap_ctx, -+ err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx, - domain_sid_string, - &ldap_domain_sid); - if (err != IDMAP_SUCCESS) { -@@ -4624,11 +4663,11 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - TALLOC_FREE(domain_sid_string); - return NT_STATUS_INVALID_PARAMETER; - } -- sid_copy(&ldap_state->domain_sid, ldap_domain_sid); -+ sid_copy(&ipasam_state->domain_sid, ldap_domain_sid); - talloc_free(ldap_domain_sid); - talloc_free(domain_sid_string); - -- status = save_sid_to_secret(ldap_state); -+ status = save_sid_to_secret(ipasam_state); - if (!NT_STATUS_IS_OK(status)) { - ldap_msgfree(result); - return status; -@@ -4637,8 +4676,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - - ldap_msgfree(result); - -- status = ipasam_get_enctypes(ldap_state, -- ldap_state->ipasam_privates, -+ status = ipasam_get_enctypes(ipasam_state, - &enctypes); - - if (!NT_STATUS_IS_OK(status)) { -@@ -4647,20 +4685,20 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96; - } - -- ldap_state->ipasam_privates->supported_enctypes = enctypes; -+ ipasam_state->supported_enctypes = enctypes; - -- (*pdb_method)->getsampwnam = ldapsam_getsampwnam; -- (*pdb_method)->search_users = ldapsam_search_users; -- (*pdb_method)->search_groups = ldapsam_search_groups; -- (*pdb_method)->search_aliases = ldapsam_search_aliases; -+ (*pdb_method)->getsampwnam = ipasam_getsampwnam; -+ (*pdb_method)->search_users = ipasam_search_users; -+ (*pdb_method)->search_groups = ipasam_search_groups; -+ (*pdb_method)->search_aliases = ipasam_search_aliases; - (*pdb_method)->lookup_rids = ldapsam_lookup_rids; - (*pdb_method)->sid_to_id = ldapsam_sid_to_id; - #if PASSDB_INTERFACE_VERSION >= 24 - /* Since version 24, uid_to_sid() and gid_to_sid() were removed in favor of id_to_sid() */ - (*pdb_method)->id_to_sid = ipasam_id_to_sid; - #else -- (*pdb_method)->uid_to_sid = ldapsam_uid_to_sid; -- (*pdb_method)->gid_to_sid = ldapsam_gid_to_sid; -+ (*pdb_method)->uid_to_sid = ipasam_uid_to_sid; -+ (*pdb_method)->gid_to_sid = ipasam_gid_to_sid; - #endif - - (*pdb_method)->capabilities = pdb_ipasam_capabilities; -@@ -4679,7 +4717,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - #ifdef HAVE_PDB_ENUM_UPN_SUFFIXES - (*pdb_method)->enum_upn_suffixes = ipasam_enum_upn_suffixes; - DEBUG(1, ("pdb_init_ipasam: support for pdb_enum_upn_suffixes " -- "enabled for domain %s\n", ldap_state->domain_name)); -+ "enabled for domain %s\n", ipasam_state->domain_name)); - #endif - - return NT_STATUS_OK; -diff --git a/server.m4 b/server.m4 -index aa784e096..365abb60e 100644 ---- a/server.m4 -+++ b/server.m4 -@@ -106,6 +106,10 @@ AC_CHECK_LIB([$LIBPDB_NAME],[pdb_enum_upn_suffixes], - [AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])], - [$SAMBA40EXTRA_LIBPATH]) - -+AC_CHECK_LIB([smbldap],[smbldap_get_ldap], -+ [AC_DEFINE([HAVE_SMBLDAP_GET_LDAP], [1], [struct smbldap_state is opaque])], -+ [AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_get_ldap])], -+ [$SAMBA40EXTRA_LIBPATH]) - - dnl --------------------------------------------------------------------------- - dnl Check for libunistring --- -2.13.0 - diff --git a/0005-ipa-sam-use-smbldap_set_bind_callback-for-Samba-4.7-.patch b/0005-ipa-sam-use-smbldap_set_bind_callback-for-Samba-4.7-.patch deleted file mode 100644 index 12c7dd4..0000000 --- a/0005-ipa-sam-use-smbldap_set_bind_callback-for-Samba-4.7-.patch +++ /dev/null @@ -1,54 +0,0 @@ -From dc7dac0196d684b05cef047670ce95278036c5fb Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 3 Jul 2017 14:38:05 +0300 -Subject: [PATCH 7/7] ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or - later - -Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an -opaque. This means ipa-sam module cannot anymore directly set its -LDAP bind callback. - -Use new smbldap API to set the LDAP bind callback. - -Fixes https://pagure.io/freeipa/issue/6877 ---- - daemons/ipa-sam/ipa_sam.c | 4 ++++ - server.m4 | 5 +++++ - 2 files changed, 9 insertions(+) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index fe9913d61..0cd48d845 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -4532,8 +4532,12 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, - uri, false, NULL, NULL, - &ipasam_state->ldap_state); - if (NT_STATUS_IS_OK(status)) { -+#ifdef HAVE_SMBLDAP_SET_BIND_CALLBACK -+ smbldap_set_bind_callback(ipasam_state->ldap_state, bind_callback, ipasam_state); -+#else - ipasam_state->ldap_state->bind_callback = bind_callback; - ipasam_state->ldap_state->bind_callback_data = ipasam_state; -+#endif - } - } - -diff --git a/server.m4 b/server.m4 -index 365abb60e..a9670c873 100644 ---- a/server.m4 -+++ b/server.m4 -@@ -111,6 +111,11 @@ AC_CHECK_LIB([smbldap],[smbldap_get_ldap], - [AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_get_ldap])], - [$SAMBA40EXTRA_LIBPATH]) - -+AC_CHECK_LIB([smbldap],[smbldap_set_bind_callback], -+ [AC_DEFINE([HAVE_SMBLDAP_SET_BIND_CALLBACK], [1], [struct smbldap_state is opaque])], -+ [AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_set_bind_callback])], -+ [$SAMBA40EXTRA_LIBPATH]) -+ - dnl --------------------------------------------------------------------------- - dnl Check for libunistring - dnl --------------------------------------------------------------------------- --- -2.13.0 - diff --git a/0006-replica-install-drop-in-ipa-specific-config.patch b/0006-replica-install-drop-in-ipa-specific-config.patch deleted file mode 100644 index af8af7e..0000000 --- a/0006-replica-install-drop-in-ipa-specific-config.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 76cc115c53c3a9c5f594083ff4c4452479070021 Mon Sep 17 00:00:00 2001 -From: Martin Babinsky -Date: Tue, 11 Jul 2017 12:41:38 +0200 -Subject: [PATCH] replica install: drop-in IPA specific config to tmpfiles.d - -While server installation and upgrade code configures the IPA specific -tmpfiles location and creates relevant directories, the replica -installer code path is covered incompletely and one step is missing. - -https://pagure.io/freeipa/issue/7053 - -Reviewed-By: Alexander Bokovoy -Reviewed-By: Stanislav Laznicka ---- - ipaserver/install/server/replicainstall.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 4f28de25b..814925de1 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -1515,6 +1515,9 @@ def install(installer): - # remove the extracted replica file - remove_replica_info_dir(installer) - -+ # Make sure the files we crated in /var/run are recreated at startup -+ tasks.configure_tmpfiles() -+ - # Everything installed properly, activate ipa service. - services.knownservices.ipa.enable() - --- -2.13.0 - diff --git a/freeipa.spec b/freeipa.spec index fa89715..ac69977 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -63,13 +63,13 @@ %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa -%global VERSION 4.5.2 +%global VERSION 4.5.3 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 4%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -80,12 +80,6 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.as BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch -# remove Patch000[2-3] in 4.5.3 -Patch0002: 0002-Fix-IP-Address-Checks.patch -Patch0003: 0003-python-netifaces-update-to-reflect-upstream-changes.patch -Patch0004: 0004-ipa-sam-use-own-private-structure-not-ldapsam_privat.patch -Patch0005: 0005-ipa-sam-use-smbldap_set_bind_callback-for-Samba-4.7-.patch -Patch0006: 0006-replica-install-drop-in-ipa-specific-config.patch BuildRequires: openldap-devel # For KDB DAL version, make explicit dependency so that increase of version @@ -296,8 +290,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.5-11 -Requires: pki-kra >= 10.3.5-11 +Requires: pki-ca >= 10.4.0-1 +Requires: pki-kra >= 10.4.0-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: policycoreutils >= 2.1.12-5 @@ -1042,6 +1036,10 @@ fi python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 if [ $? -eq 0 ]; then + # This is necessary for Fedora system upgrades which by default + # work with the network being offline + /bin/systemctl start network-online.target + # This must be run in posttrans so that updates from previous # execution that may no longer be shipped are not applied. /usr/sbin/ipa-server-upgrade --quiet >/dev/null || : @@ -1616,6 +1614,9 @@ fi %endif # with_ipatests %changelog +* Fri Jul 21 2017 Tomas Krizek - 4.5.3-1 +- Update to upstream 4.5.3 - see https://www.freeipa.org/page/Releases/4.5.3 + * Thu Jul 13 2017 Alexander Bokovoy - 4.5.2-4 - Make sure tmpfiles.d snippet for replica is in place after install diff --git a/sources b/sources index 3320079..e52e18e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.5.2.tar.gz) = 0525f3b614f3837dd4fc2c459115d4765254caed88345c8f2e6014942ff9ccfe0f865d14bb7444260fca2c8db306fcc9df5ccf87cf0e3565fb0b304a5e5b379d -SHA512 (freeipa-4.5.2.tar.gz.asc) = 38a760516817dded90f46fc9cb4e0a9c548591a544f4b8e6d6ba9c1f7b7abed196d08c66221b0ae8c4b1d72a1ed6ee891ad96f3b5c0ec3bb536f92930d7738d0 +SHA512 (freeipa-4.5.3.tar.gz) = 649b42a721b1bde6e8ebd5387bff171e9ea700005e3b2670129a25a6a5d1d81f6c6005375fb136d973706c0337f048c10fdd9913967035fa7f6ba766828dae42 +SHA512 (freeipa-4.5.3.tar.gz.asc) = 8eef3c911cc04c2d9fd15c840b71391a556ac6cd32d092af3424db303e2b933fc74db4600a4d491a14f636cd180975fd9157ece0e46f1502f0cdf81d097ef7e2