|
 |
daca1ae |
From 68b14b6f94cf23fe2f66ee592e2e1fa5abfe3b9c Mon Sep 17 00:00:00 2001
|
|
|
daca1ae |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
daca1ae |
Date: Fri, 23 Mar 2018 13:40:34 +0100
|
|
|
daca1ae |
Subject: [PATCH] SYSDB: When marking an entry as expired, also set the
|
|
|
daca1ae |
originalModifyTimestamp to 1
|
|
|
daca1ae |
MIME-Version: 1.0
|
|
|
daca1ae |
Content-Type: text/plain; charset=UTF-8
|
|
|
daca1ae |
Content-Transfer-Encoding: 8bit
|
|
|
daca1ae |
|
|
|
daca1ae |
Resolves:
|
|
|
daca1ae |
https://pagure.io/SSSD/sssd/issue/3684
|
|
|
daca1ae |
|
|
|
daca1ae |
If the cleanup task removes a user who was a fully resolved member (not a
|
|
|
daca1ae |
ghost), but then the group the user was a member of is requested, unless
|
|
|
daca1ae |
the group had changed, the user doesn't appear as a member of the group
|
|
|
daca1ae |
again. This is because the modify timestamp would prevent the group from
|
|
|
daca1ae |
updating and therefore the ghost attribute is not readded.
|
|
|
daca1ae |
|
|
|
daca1ae |
To mitigate this, let's also set the originalModifyTimestamp attribute
|
|
|
daca1ae |
to 1, so that we never take the optimized path while updating the group.
|
|
|
daca1ae |
|
|
|
daca1ae |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
daca1ae |
(cherry picked from commit 250751bf8b0532d6175e762b7f2f008cc1c39a78)
|
|
|
daca1ae |
---
|
|
|
daca1ae |
src/db/sysdb_ops.c | 13 +++++++++++
|
|
|
daca1ae |
src/tests/intg/test_ldap.py | 54 +++++++++++++++++++++++++++++++++++++++++++++
|
|
|
daca1ae |
2 files changed, 67 insertions(+)
|
|
|
daca1ae |
|
|
|
daca1ae |
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
|
daca1ae |
index cc86a114e..09aa04a29 100644
|
|
|
daca1ae |
--- a/src/db/sysdb_ops.c
|
|
|
daca1ae |
+++ b/src/db/sysdb_ops.c
|
|
|
daca1ae |
@@ -5410,6 +5410,19 @@ errno_t sysdb_mark_entry_as_expired_ldb_dn(struct sss_domain_info *dom,
|
|
|
daca1ae |
goto done;
|
|
|
daca1ae |
}
|
|
|
daca1ae |
|
|
|
daca1ae |
+ ret = ldb_msg_add_empty(msg, SYSDB_ORIG_MODSTAMP,
|
|
|
daca1ae |
+ LDB_FLAG_MOD_REPLACE, NULL);
|
|
|
daca1ae |
+ if (ret != LDB_SUCCESS) {
|
|
|
daca1ae |
+ ret = sysdb_error_to_errno(ret);
|
|
|
daca1ae |
+ goto done;
|
|
|
daca1ae |
+ }
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ ret = ldb_msg_add_string(msg, SYSDB_ORIG_MODSTAMP, "1");
|
|
|
daca1ae |
+ if (ret != LDB_SUCCESS) {
|
|
|
daca1ae |
+ ret = sysdb_error_to_errno(ret);
|
|
|
daca1ae |
+ goto done;
|
|
|
daca1ae |
+ }
|
|
|
daca1ae |
+
|
|
|
daca1ae |
ret = ldb_modify(dom->sysdb->ldb, msg);
|
|
|
daca1ae |
if (ret != LDB_SUCCESS) {
|
|
|
daca1ae |
ret = sysdb_error_to_errno(ret);
|
|
|
daca1ae |
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
|
|
|
daca1ae |
index a6659b1b7..db3253858 100644
|
|
|
daca1ae |
--- a/src/tests/intg/test_ldap.py
|
|
|
daca1ae |
+++ b/src/tests/intg/test_ldap.py
|
|
|
daca1ae |
@@ -434,6 +434,60 @@ def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task):
|
|
|
daca1ae |
dict(mem=ent.contains_only("user1")))
|
|
|
daca1ae |
|
|
|
daca1ae |
|
|
|
daca1ae |
+@pytest.fixture
|
|
|
daca1ae |
+def update_ts_after_cleanup_task(request, ldap_conn):
|
|
|
daca1ae |
+ ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn)
|
|
|
daca1ae |
+ ent_list.add_user("user1", 1001, 2001)
|
|
|
daca1ae |
+ ent_list.add_user("user2", 1002, 2001)
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ ent_list.add_group_bis("group1", 2001, ["user1", "user2"])
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ create_ldap_fixture(request, ldap_conn, ent_list)
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ conf = \
|
|
|
daca1ae |
+ format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \
|
|
|
daca1ae |
+ unindent("""
|
|
|
daca1ae |
+ [domain/LDAP]
|
|
|
daca1ae |
+ ldap_purge_cache_timeout = 3
|
|
|
daca1ae |
+ """).format(**locals())
|
|
|
daca1ae |
+ create_conf_fixture(request, conf)
|
|
|
daca1ae |
+ create_sssd_fixture(request)
|
|
|
daca1ae |
+ return None
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+def test_update_ts_cache_after_cleanup_task(ldap_conn,
|
|
|
daca1ae |
+ update_ts_after_cleanup_task):
|
|
|
daca1ae |
+ """
|
|
|
daca1ae |
+ Regression test for ticket:
|
|
|
daca1ae |
+ https://fedorahosted.org/sssd/ticket/2676
|
|
|
daca1ae |
+ """
|
|
|
daca1ae |
+ ent.assert_group_by_name(
|
|
|
daca1ae |
+ "group1",
|
|
|
daca1ae |
+ dict(mem=ent.contains_only("user1", "user2")))
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ ent.assert_passwd_by_name(
|
|
|
daca1ae |
+ 'user1',
|
|
|
daca1ae |
+ dict(name='user1', passwd='*', uid=1001, gid=2001,
|
|
|
daca1ae |
+ gecos='1001', shell='/bin/bash'))
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ ent.assert_passwd_by_name(
|
|
|
daca1ae |
+ 'user2',
|
|
|
daca1ae |
+ dict(name='user2', passwd='*', uid=1002, gid=2001,
|
|
|
daca1ae |
+ gecos='1002', shell='/bin/bash'))
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ if subprocess.call(["sss_cache", "-u", "user1"]) != 0:
|
|
|
daca1ae |
+ raise Exception("sssd_cache failed")
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ # The cleanup task runs every 3 seconds, so sleep for 6
|
|
|
daca1ae |
+ # so that we know the cleanup task ran at least once
|
|
|
daca1ae |
+ # even if we start sleeping during the first one
|
|
|
daca1ae |
+ time.sleep(6)
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+ ent.assert_group_by_name(
|
|
|
daca1ae |
+ "group1",
|
|
|
daca1ae |
+ dict(mem=ent.contains_only("user1", "user2")))
|
|
|
daca1ae |
+
|
|
|
daca1ae |
+
|
|
|
daca1ae |
@pytest.fixture
|
|
|
daca1ae |
def blank_rfc2307(request, ldap_conn):
|
|
|
daca1ae |
"""Create blank RFC2307 directory fixture with interactive SSSD conf"""
|
|
|
daca1ae |
--
|
|
|
daca1ae |
2.14.3
|
|
|
daca1ae |
|