Blob Blame History Raw
From 5eca1f995ced1ce4ddead4471ac7ac9037bedb73 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Jun 2018 21:26:47 +0200
Subject: [PATCH 2/7] Only update attributes given on the command line

When updating attributes of the LDAP computer object we only want to
update attributes which are related to options given on the command
line. Otherwise a simple call of 'adcli update' to check if the machine
account password needs an update might unexpectedly reset other
attributes as well.

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1547013
           https://bugzilla.redhat.com/show_bug.cgi?id=1545568
           https://bugzilla.redhat.com/show_bug.cgi?id=1538730
---
 library/adenroll.c | 35 ++++++++++++++++++++++++++++++-----
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/library/adenroll.c b/library/adenroll.c
index 7c59078..2be6796 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -99,8 +99,11 @@ struct _adcli_enroll {
 	int user_princpal_generate;
 
 	char *os_name;
+	int os_name_explicit;
 	char *os_version;
+	int os_version_explicit;
 	char *os_service_pack;
+	int os_service_pack_explicit;
 
 	krb5_kvno kvno;
 	char *keytab_name;
@@ -113,6 +116,7 @@ struct _adcli_enroll {
 	int computer_password_lifetime_explicit;
 	char *samba_data_tool;
 	bool trusted_for_delegation;
+	int trusted_for_delegation_explicit;
 };
 
 static adcli_result
@@ -1212,7 +1216,11 @@ update_computer_account (adcli_enroll *enroll)
 	ldap = adcli_conn_get_ldap_connection (enroll->conn);
 	return_if_fail (ldap != NULL);
 
-	{
+	/* Only update attributes which are explicitly given on the command
+	 * line. Otherwise 'adcli update' must be always called with the same
+	 * set of options to make sure existing attributes are not deleted or
+	 * overwritten with different values. */
+	if (enroll->host_fqdn_explicit) {
 		char *vals_dNSHostName[] = { enroll->host_fqdn, NULL };
 		LDAPMod dNSHostName = { LDAP_MOD_REPLACE, "dNSHostName", { vals_dNSHostName, } };
 		LDAPMod *mods[] = { &dNSHostName, NULL };
@@ -1220,7 +1228,7 @@ update_computer_account (adcli_enroll *enroll)
 		res |= update_computer_attribute (enroll, ldap, mods);
 	}
 
-	if (res == ADCLI_SUCCESS) {
+	if (res == ADCLI_SUCCESS && enroll->trusted_for_delegation_explicit) {
 		char *vals_userAccountControl[] = { NULL , NULL };
 		LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } };
 		LDAPMod *mods[] = { &userAccountControl, NULL };
@@ -1240,12 +1248,25 @@ update_computer_account (adcli_enroll *enroll)
 		LDAPMod operatingSystemVersion = { LDAP_MOD_REPLACE, "operatingSystemVersion", { vals_operatingSystemVersion, } };
 		char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL };
 		LDAPMod operatingSystemServicePack = { LDAP_MOD_REPLACE, "operatingSystemServicePack", { vals_operatingSystemServicePack, } };
-		LDAPMod *mods[] = { &operatingSystem, &operatingSystemVersion, &operatingSystemServicePack, NULL };
+		LDAPMod *mods[] = { NULL, NULL, NULL, NULL };
+		size_t c = 0;
 
-		res |= update_computer_attribute (enroll, ldap, mods);
+		if (enroll->os_name_explicit) {
+			mods[c++] = &operatingSystem;
+		}
+		if (enroll->os_version_explicit) {
+			mods[c++] = &operatingSystemVersion;
+		}
+		if (enroll->os_service_pack_explicit) {
+			mods[c++] = &operatingSystemServicePack;
+		}
+
+		if (c != 0) {
+			res |= update_computer_attribute (enroll, ldap, mods);
+		}
 	}
 
-	if (res == ADCLI_SUCCESS) {
+	if (res == ADCLI_SUCCESS && !enroll->user_princpal_generate) {
 		char *vals_userPrincipalName[] = { enroll->user_principal, NULL };
 		LDAPMod userPrincipalName = { LDAP_MOD_REPLACE, "userPrincipalName", { vals_userPrincipalName, }, };
 		LDAPMod *mods[] = { &userPrincipalName, NULL, };
@@ -2337,6 +2358,7 @@ adcli_enroll_set_os_name (adcli_enroll *enroll,
 	if (value && value[0] == '\0')
 		value = NULL;
 	_adcli_str_set (&enroll->os_name, value);
+	enroll->os_name_explicit = 1;
 }
 
 const char *
@@ -2354,6 +2376,7 @@ adcli_enroll_set_os_version (adcli_enroll *enroll,
 	if (value && value[0] == '\0')
 		value = NULL;
 	_adcli_str_set (&enroll->os_version, value);
+	enroll->os_version_explicit = 1;
 }
 
 const char *
@@ -2371,6 +2394,7 @@ adcli_enroll_set_os_service_pack (adcli_enroll *enroll,
 	if (value && value[0] == '\0')
 		value = NULL;
 	_adcli_str_set (&enroll->os_service_pack, value);
+	enroll->os_service_pack_explicit = 1;
 }
 
 const char *
@@ -2450,4 +2474,5 @@ adcli_enroll_set_trusted_for_delegation (adcli_enroll *enroll,
 	return_if_fail (enroll != NULL);
 
 	enroll->trusted_for_delegation = value;
+	enroll->trusted_for_delegation_explicit = 1;
 }
-- 
2.14.4