summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2013-07-09 10:26:22 +0300
committerAlexander Bokovoy <abokovoy@redhat.com>2013-07-11 12:39:28 +0300
commitad575f067c49fdc511e9139668529d46b2f5f8bf (patch)
tree748bb1394987ce1b7745f816ee8de38be409b4ee
parentfb62414e813bbc8bd287413ed2506c0fe7f9c589 (diff)
downloadfreeipa-ad575f067c49fdc511e9139668529d46b2f5f8bf.zip
freeipa-ad575f067c49fdc511e9139668529d46b2f5f8bf.tar.gz
freeipa-ad575f067c49fdc511e9139668529d46b2f5f8bf.tar.xz
Fix extdom plugin to provide unqualified name in response as sssd expects
extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name.
-rw-r--r--daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c33
1 files changed, 30 insertions, 3 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 823745e..26262e4 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -48,6 +48,7 @@
#include "util.h"
#define MAX(a,b) (((a)>(b))?(a):(b))
+#define SSSD_DOMAIN_SEPARATOR '@'
int parse_request_data(struct berval *req_val, struct extdom_req **_req)
{
@@ -242,7 +243,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
goto done;
}
- sep = strrchr(fq_name, '@');
+ sep = strrchr(fq_name, SSSD_DOMAIN_SEPARATOR);
if (sep == NULL) {
ret = LDAP_OPERATIONS_ERROR;
goto done;
@@ -274,8 +275,9 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
domain_name = strdup(req->data.name.domain_name);
break;
case INP_NAME:
- ret = asprintf(&fq_name, "%s@%s", req->data.name.object_name,
- req->data.name.domain_name);
+ ret = asprintf(&fq_name, "%s%c%s", req->data.name.object_name,
+ SSSD_DOMAIN_SEPARATOR,
+ req->data.name.domain_name);
if (ret == -1) {
ret = LDAP_OPERATIONS_ERROR;
fq_name = NULL; /* content is undefined according to
@@ -339,6 +341,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
const char *domain_name, struct extdom_res **_res)
{
int ret = EFAULT;
+ char *locat = NULL;
struct extdom_res *res;
res = calloc(1, sizeof(struct extdom_res));
@@ -355,10 +358,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
switch(id_type) {
case SSS_ID_TYPE_UID:
case SSS_ID_TYPE_BOTH:
+ if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0 ) {
+ locat[0] = 0;
+ }
+ }
res->data.name.object_name =
strdup(pg_data->data.pwd.pw_name);
break;
case SSS_ID_TYPE_GID:
+ if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0) {
+ locat[0] = 0;
+ }
+ }
res->data.name.object_name =
strdup(pg_data->data.grp.gr_name);
break;
@@ -394,6 +407,11 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
case SSS_ID_TYPE_BOTH:
res->response_type = RESP_USER;
res->data.user.domain_name = strdup(domain_name);
+ if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0) {
+ locat[0] = 0;
+ }
+ }
res->data.user.user_name =
strdup(pg_data->data.pwd.pw_name);
@@ -409,6 +427,11 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
case SSS_ID_TYPE_GID:
res->response_type = RESP_GROUP;
res->data.group.domain_name = strdup(domain_name);
+ if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0) {
+ locat[0] = 0;
+ }
+ }
res->data.group.group_name =
strdup(pg_data->data.grp.gr_name);
@@ -439,6 +462,10 @@ done:
free_resp_data(res);
}
+ if (locat != NULL) {
+ locat[0] = SSSD_DOMAIN_SEPARATOR;
+ }
+
return ret;
}