ipa-kdb: enhance deref searches

Allow to deref more than one attribute.
The attrs searched are the same for all deref attributes at this time.

3 files changed, 39 insertions, 13 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8c907c448..33b74a28a 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -123,8 +123,11 @@ krb5_error_code ipadb_simple_modify(struct ipadb_context *ipactx,
 krb5_error_code ipadb_simple_delete_val(struct ipadb_context *ipactx,
                                         char *dn, char *attr, char *value);
 krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
-                                   char *entry_dn, char **entry_attrs,
-                                   char *deref_attr_name, char **deref_attrs,
+                                   char *base_dn, int scope,
+                                   char *filter,
+                                   char **entry_attrs,
+                                   char **deref_attr_names,
+                                   char **deref_attrs,
                                    LDAPMessage **res);
 
 int ipadb_ldap_attr_to_int(LDAP *lcontext, LDAPMessage *le,
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index d3e8e9c4c..6f5ac1d74 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -265,24 +265,39 @@ done:
 }
 
 krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
-                                   char *entry_dn, char **entry_attrs,
-                                   char *deref_attr_name, char **deref_attrs,
+                                   char *base_dn, int scope,
+                                   char *filter,
+                                   char **entry_attrs,
+                                   char **deref_attr_names,
+                                   char **deref_attrs,
                                    LDAPMessage **res)
 {
     struct berval derefval = { 0, NULL };
     LDAPControl *ctrl[2] = { NULL, NULL };
-    LDAPDerefSpec ds[2];
+    LDAPDerefSpec *ds;
     krb5_error_code kerr;
     int times;
     int ret;
+    int c;
 
-    ds[0].derefAttr = deref_attr_name;
-    ds[0].attributes = deref_attrs;
-    ds[1].derefAttr = NULL;
+    for (c = 0; deref_attr_names[c]; c++) {
+        /* count */ ;
+    }
+
+    ds = calloc(c, sizeof(LDAPDerefSpec));
+    if (!ds) {
+        return ENOMEM;
+    }
+
+    for (c = 0; deref_attr_names[c]; c++) {
+        ds[c].derefAttr = deref_attr_names[c];
+        ds[c].attributes = deref_attrs;
+    }
 
     ret = ldap_create_deref_control_value(ipactx->lcontext, ds, &derefval);
     if (ret != LDAP_SUCCESS) {
-        return ENOMEM;
+        kerr = ENOMEM;
+        goto done;
     }
 
     ret = ldap_control_create(LDAP_CONTROL_X_DEREF,
@@ -297,8 +312,8 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
     ret = LDAP_SUCCESS;
     while (!ipadb_need_retry(ipactx, ret) && times > 0) {
         times--;
-        ret = ldap_search_ext_s(ipactx->lcontext, entry_dn,
-                                LDAP_SCOPE_BASE, "(objectclass=*)",
+        ret = ldap_search_ext_s(ipactx->lcontext, base_dn,
+                                scope, filter,
                                 entry_attrs, 0,
                                 ctrl, NULL,
                                 &std_timeout, LDAP_NO_LIMIT,
@@ -309,6 +324,7 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx,
 
 done:
     ldap_memfree(derefval.bv_val);
+    free(ds);
     return kerr;
 }
 
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 7b19611b3..8f4affa40 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -84,6 +84,11 @@ static char *user_pac_attrs[] = {
     NULL
 };
 
+char *deref_search_attrs[] = {
+    "memberOf",
+    NULL
+};
+
 static char *memberof_pac_attrs[] = {
     "gidNumber",
     "ipaNTSecurityIdentifier",
@@ -502,8 +507,10 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
 
 
     /* == Search PAC info == */
-    kerr = ipadb_deref_search(ipactx, ied->entry_dn, user_pac_attrs,
-                              "memberOf", memberof_pac_attrs, &results);
+    kerr = ipadb_deref_search(ipactx, ied->entry_dn, LDAP_SCOPE_BASE,
+                              "(objectclass=*)", user_pac_attrs,
+                              deref_search_attrs, memberof_pac_attrs,
+                              &results);
     if (kerr) {
         goto done;
     }