File 0014-Only-update-attributes-given-on-the-comman... of Package adcli

Overview Repositories Revisions Requests Users Attributes Meta

File 0014-Only-update-attributes-given-on-the-command-line.patch of Package adcli

From 4bffff31b08347dccf13cdf43776ac7d36e58d1f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Jun 2018 21:26:47 +0200
Subject: [PATCH 14/25] Only update attributes given on the command line

When updating attributes of the LDAP computer object we only want to
update attributes which are related to options given on the command
line. Otherwise a simple call of 'adcli update' to check if the machine
account password needs an update might unexpectedly reset other
attributes as well.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1547013
           https://bugzilla.redhat.com/show_bug.cgi?id=1545568
           https://bugzilla.redhat.com/show_bug.cgi?id=1538730
---
 library/adenroll.c | 35 ++++++++++++++++++++++++++++++-----
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/library/adenroll.c b/library/adenroll.c
index 691d993..1cc8ffc 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -95,8 +95,11 @@ struct _adcli_enroll {
 	int user_princpal_generate;
 
 	char *os_name;
+	int os_name_explicit;
 	char *os_version;
+	int os_version_explicit;
 	char *os_service_pack;
+	int os_service_pack_explicit;
 
 	krb5_kvno kvno;
 	char *keytab_name;
@@ -108,6 +111,7 @@ struct _adcli_enroll {
 	unsigned int computer_password_lifetime;
 	int computer_password_lifetime_explicit;
 	bool trusted_for_delegation;
+	int trusted_for_delegation_explicit;
 };
 
 static adcli_result
@@ -1207,7 +1211,11 @@ update_computer_account (adcli_enroll *enroll)
 	ldap = adcli_conn_get_ldap_connection (enroll->conn);
 	return_if_fail (ldap != NULL);
 
-	{
+	/* Only update attributes which are explicitly given on the command
+	 * line. Otherwise 'adcli update' must be always called with the same
+	 * set of options to make sure existing attributes are not deleted or
+	 * overwritten with different values. */
+	if (enroll->host_fqdn_explicit) {
 		char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
 		LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
 		LDAPMod *mods[] = { &dNSHostName, NULL };
@@ -1215,7 +1223,7 @@ update_computer_account (adcli_enroll *enroll)
 		res |= update_computer_attribute (enroll, ldap, mods);
 	}
 
-	if (res == ADCLI_SUCCESS) {
+	if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
 		char *vals_userAccountControl[] = { NULL , NULL };
 		LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
 		LDAPMod *mods[] = { &userAccountControl, NULL };
@@ -1235,12 +1243,25 @@ update_computer_account (adcli_enroll *enroll)
 		LDAPMod operatingSystemVersion = { LDAP_MOD_REPLACE, "operatingSystemVersion", { vals_operatingSystemVersion, } };
 		char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
 		LDAPMod operatingSystemServicePack = { LDAP_MOD_REPLACE, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
-		LDAPMod *mods[] = { &operatingSystem, &operatingSystemVersion, &operatingSystemServicePack, NULL };
+		LDAPMod *mods[] = { NULL, NULL, NULL, NULL };
+		size_t c = 0;
 
-		res |= update_computer_attribute (enroll, ldap, mods);
+		if (enroll->os_name_explicit) {
+			mods[c++] = &operatingSystem;
+		}
+		if (enroll->os_version_explicit) {
+			mods[c++] = &operatingSystemVersion;
+		}
+		if (enroll->os_service_pack_explicit) {
+			mods[c++] = &operatingSystemServicePack;
+		}
+
+		if (c != 0) {
+			res |= update_computer_attribute (enroll, ldap, mods);
+		}
 	}
 
-	if (res == ADCLI_SUCCESS) {
+	if (res == ADCLI_SUCCESS && !enroll->user_princpal_generate) {
 		char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
 		LDAPMod userPrincipalName = { LDAP_MOD_REPLACE, "userPrincipalName", { vals_userPrincipalName, }, };
 		LDAPMod *mods[] = { &userPrincipalName, NULL, };
@@ -2282,6 +2303,7 @@ adcli_enroll_set_os_name (adcli_enroll *enroll,
 	if (value && value[0] == '\0')
 		value = NULL;
 	_adcli_str_set (&enroll->os_name, value);
+	enroll->os_name_explicit = 1;
 }
 
 const char *
@@ -2299,6 +2321,7 @@ adcli_enroll_set_os_version (adcli_enroll *enroll,
 	if (value && value[0] == '\0')
 		value = NULL;
 	_adcli_str_set (&enroll->os_version, value);
+	enroll->os_version_explicit = 1;
 }
 
 const char *
@@ -2316,6 +2339,7 @@ adcli_enroll_set_os_service_pack (adcli_enroll *enroll,
 	if (value && value[0] == '\0')
 		value = NULL;
 	_adcli_str_set (&enroll->os_service_pack, value);
+	enroll->os_service_pack_explicit = 1;
 }
 
 const char *
@@ -2379,4 +2403,5 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
 	return_if_fail (enroll != NULL);
 
 	enroll->trusted_for_delegation = value;
+	enroll->trusted_for_delegation_explicit = 1;
 }
-- 
2.16.4

 
From 4bffff31b08347dccf13cdf43776ac7d36e58d1f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Jun 2018 21:26:47 +0200
Subject: [PATCH 14/25] Only update attributes given on the command line
​
When updating attributes of the LDAP computer object we only want to
update attributes which are related to options given on the command
line. Otherwise a simple call of 'adcli update' to check if the machine
account password needs an update might unexpectedly reset other
attributes as well.
​
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1547013
           https://bugzilla.redhat.com/show_bug.cgi?id=1545568
           https://bugzilla.redhat.com/show_bug.cgi?id=1538730
---
 library/adenroll.c | 35 ++++++++++++++++++++++++++++++-----
 1 file changed, 30 insertions(+), 5 deletions(-)
​
diff --git a/library/adenroll.c b/library/adenroll.c
index 691d993..1cc8ffc 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -95,8 +95,11 @@ struct _adcli_enroll {
    int user_princpal_generate;
 
    char *os_name;
+   int os_name_explicit;
    char *os_version;
+   int os_version_explicit;
    char *os_service_pack;
+   int os_service_pack_explicit;
 
    krb5_kvno kvno;
    char *keytab_name;
@@ -108,6 +111,7 @@ struct _adcli_enroll {
    unsigned int computer_password_lifetime;
    int computer_password_lifetime_explicit;
    bool trusted_for_delegation;
+   int trusted_for_delegation_explicit;
 };
 
 static adcli_result
@@ -1207,7 +1211,11 @@ update_computer_account (adcli_enroll *enroll)
    ldap = adcli_conn_get_ldap_connection (enroll->conn);
    return_if_fail (ldap != NULL);
 
-   {
+   /* Only update attributes which are explicitly given on the command
+    * line. Otherwise 'adcli update' must be always called with the same
+    * set of options to make sure existing attributes are not deleted or
+    * overwritten with different values. */
+   if (enroll->host_fqdn_explicit) {
        char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
        LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
        LDAPMod *mods[] = { &dNSHostName, NULL };
@@ -1215,7 +1223,7 @@ update_computer_account (adcli_enroll *enroll)
        res |= update_computer_attribute (enroll, ldap, mods);
    }
 
-   if (res == ADCLI_SUCCESS) {
+   if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
        char *vals_userAccountControl[] = { NULL , NULL };
        LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
        LDAPMod *mods[] = { &userAccountControl, NULL };
@@ -1235,12 +1243,25 @@ update_computer_account (adcli_enroll *enroll)
        LDAPMod operatingSystemVersion = { LDAP_MOD_REPLACE, "operatingSystemVersion", { vals_operatingSystemVersion, } };
        char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
        LDAPMod operatingSystemServicePack = { LDAP_MOD_REPLACE, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
-       LDAPMod *mods[] = { &operatingSystem, &operatingSystemVersion, &operatingSystemServicePack, NULL };
+       LDAPMod *mods[] = { NULL, NULL, NULL, NULL };
+       size_t c = 0;
 
-       res |= update_computer_attribute (enroll, ldap, mods);
+       if (enroll->os_name_explicit) {
+           mods[c++] = &operatingSystem;
+       }
+       if (enroll->os_version_explicit) {
+           mods[c++] = &operatingSystemVersion;
+       }
+       if (enroll->os_service_pack_explicit) {
+           mods[c++] = &operatingSystemServicePack;
+       }
+
+       if (c != 0) {
+           res |= update_computer_attribute (enroll, ldap, mods);
+       }
    }
 
-   if (res == ADCLI_SUCCESS) {
+   if (res == ADCLI_SUCCESS && !enroll->user_princpal_generate) {
        char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
        LDAPMod userPrincipalName = { LDAP_MOD_REPLACE, "userPrincipalName", { vals_userPrincipalName, }, };
        LDAPMod *mods[] = { &userPrincipalName, NULL, };
@@ -2282,6 +2303,7 @@ adcli_enroll_set_os_name (adcli_enroll *enroll,
    if (value && value[0] == '\0')
        value = NULL;
    _adcli_str_set (&enroll->os_name, value);
+   enroll->os_name_explicit = 1;
 }
 
 const char *
@@ -2299,6 +2321,7 @@ adcli_enroll_set_os_version (adcli_enroll *enroll,
    if (value && value[0] == '\0')
        value = NULL;
    _adcli_str_set (&enroll->os_version, value);
+   enroll->os_version_explicit = 1;
 }
 
 const char *
@@ -2316,6 +2339,7 @@ adcli_enroll_set_os_service_pack (adcli_enroll *enroll,
    if (value && value[0] == '\0')
        value = NULL;
    _adcli_str_set (&enroll->os_service_pack, value);
+   enroll->os_service_pack_explicit = 1;
 }
 
 const char *
@@ -2379,4 +2403,5 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
    return_if_fail (enroll != NULL);
 
    enroll->trusted_for_delegation = value;
+   enroll->trusted_for_delegation_explicit = 1;
 }
-- 
2.16.4
​
​

Places

File 0014-Only-update-attributes-given-on-the-command-line.patch of Package adcli

Places