summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-03-25 16:21:12 +0100
committerStephen Gallagher <sgallagh@redhat.com>2010-03-25 12:14:14 -0400
commitbeaaf02fe968b216d0633c92592a1fd9daad30ec (patch)
treeb8633c3ee42f1c902f0d8bec834d08fc35111d5f
parent6bcdb688a3d1319ded1073f08e0350de9e5ba94e (diff)
downloadsssd-beaaf02fe968b216d0633c92592a1fd9daad30ec.tar.gz
sssd-beaaf02fe968b216d0633c92592a1fd9daad30ec.tar.xz
sssd-beaaf02fe968b216d0633c92592a1fd9daad30ec.zip
Fix LDAP search paths for IPA HBAC
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test
-rw-r--r--src/Makefile.am3
-rw-r--r--src/providers/ipa/ipa_access.c35
-rw-r--r--src/providers/ipa/ipa_access.h1
-rw-r--r--src/providers/ipa/ipa_common.c27
-rw-r--r--src/providers/ipa/ipa_common.h4
-rw-r--r--src/providers/ipa/ipa_utils.c57
6 files changed, 84 insertions, 43 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index 6d46cdab5..3a156cb5c 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -631,12 +631,14 @@ auth_tests_LDADD = \
libsss_test_common.la
ipa_ldap_opt_tests_SOURCES = \
+ providers/ipa/ipa_utils.c \
tests/ipa_ldap_opt-tests.c
ipa_ldap_opt_tests_CFLAGS = \
$(AM_CFLAGS) \
$(CHECK_CFLAGS)
ipa_ldap_opt_tests_LDADD = \
$(CHECK_LIBS) \
+ $(TALLOC_LIBS) \
libsss_test_common.la
simple_access_tests_SOURCES = \
@@ -769,6 +771,7 @@ libsss_ipa_la_SOURCES = \
providers/child_common.c \
providers/ipa/ipa_init.c \
providers/ipa/ipa_common.c \
+ providers/ipa/ipa_utils.c \
providers/ipa/ipa_auth.c \
providers/ipa/ipa_access.c \
providers/ipa/ipa_timerules.c \
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 7dfe1fd90..55a7133ca 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -48,8 +48,8 @@
#define IPA_HOST_CATEGORY "hostCategory"
#define IPA_CN "cn"
-#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,dc=%s"
-#define IPA_HBAC_BASE_TMPL "cn=hbac,dc=%s"
+#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,%s"
+#define IPA_HBAC_BASE_TMPL "cn=hbac,%s"
#define SYSDB_HBAC_BASE_TMPL "cn=hbac,"SYSDB_TMPL_CUSTOM_BASE
@@ -340,7 +340,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
bool offline,
struct sdap_id_ctx *sdap_ctx,
struct sysdb_ctx *sysdb,
- const char *ipa_domain,
+ const char *basedn,
const char **hostnames)
{
struct tevent_req *req = NULL;
@@ -349,7 +349,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
int ret;
int i;
- if (hostnames == NULL || ipa_domain == NULL) {
+ if (hostnames == NULL || basedn == NULL) {
DEBUG(1, ("Missing hostnames or domain.\n"));
return NULL;
}
@@ -394,7 +394,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx,
}
state->host_search_base = talloc_asprintf(state, IPA_HOST_BASE_TMPL,
- ipa_domain);
+ basedn);
if (state->host_search_base == NULL) {
DEBUG(1, ("Failed to create host search base.\n"));
ret = ENOMEM;
@@ -832,7 +832,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
bool offline,
struct sdap_id_ctx *sdap_ctx,
struct sysdb_ctx *sysdb,
- const char *ipa_domain,
+ const char *basedn,
const char *host_dn,
const char **memberof)
{
@@ -842,7 +842,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
int ret;
int i;
- if (host_dn == NULL || ipa_domain == NULL) {
+ if (host_dn == NULL || basedn == NULL) {
DEBUG(1, ("Missing host_dn or domain.\n"));
return NULL;
}
@@ -867,7 +867,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx,
state->current_item = 0;
state->hbac_search_base = talloc_asprintf(state, IPA_HBAC_BASE_TMPL,
- ipa_domain);
+ basedn);
if (state->hbac_search_base == NULL) {
DEBUG(1, ("Failed to create HBAC search base.\n"));
ret = ENOMEM;
@@ -1642,6 +1642,7 @@ void ipa_access_handler(struct be_req *be_req)
int pam_status = PAM_SYSTEM_ERR;
struct ipa_access_ctx *ipa_access_ctx;
const char *hostlist[3];
+ int ret;
pd = talloc_get_type(be_req->req_data, struct pam_data);
@@ -1658,6 +1659,13 @@ void ipa_access_handler(struct be_req *be_req)
hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
+ ret = domain_to_basedn(hbac_ctx,
+ dp_opt_get_string(hbac_ctx->ipa_options, IPA_DOMAIN),
+ &hbac_ctx->ldap_basedn);
+ if (ret != EOK) {
+ DEBUG(1, ("domain_to_basedn failed.\n"));
+ goto fail;
+ }
hbac_ctx->offline = be_is_offline(be_req->be_ctx);
DEBUG(9, ("Connection status is [%s].\n", hbac_ctx->offline ? "offline" :
@@ -1682,10 +1690,8 @@ void ipa_access_handler(struct be_req *be_req)
hostlist[2] = NULL;
req = hbac_get_host_info_send(hbac_ctx, be_req->be_ctx->ev,
- hbac_ctx->offline,
- hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb,
- dp_opt_get_string(hbac_ctx->ipa_options,
- IPA_DOMAIN),
+ hbac_ctx->offline, hbac_ctx->sdap_ctx,
+ be_req->be_ctx->sysdb, hbac_ctx->ldap_basedn,
hostlist);
if (req == NULL) {
DEBUG(1, ("hbac_get_host_info_send failed.\n"));
@@ -1744,9 +1750,8 @@ static void hbac_get_host_info_done(struct tevent_req *req)
}
req = hbac_get_rules_send(hbac_ctx, be_req->be_ctx->ev, hbac_ctx->offline,
hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb,
- dp_opt_get_string(hbac_ctx->ipa_options,
- IPA_DOMAIN),
- local_hhi->dn, local_hhi->memberof);
+ hbac_ctx->ldap_basedn, local_hhi->dn,
+ local_hhi->memberof);
if (req == NULL) {
DEBUG(1, ("hbac_get_rules_send failed.\n"));
goto fail;
diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h
index bd221c574..e3ba5c30c 100644
--- a/src/providers/ipa/ipa_access.h
+++ b/src/providers/ipa/ipa_access.h
@@ -59,6 +59,7 @@ struct hbac_ctx {
size_t groups_count;
const char **groups;
bool offline;
+ char *ldap_basedn;
};
void ipa_access_handler(struct be_req *be_req);
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 2ad63d055..bed0666bd 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -123,33 +123,6 @@ struct dp_option ipa_def_krb5_opts[] = {
{ "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }
};
-int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn)
-{
- const char *s;
- char *dn;
- char *p;
- int l;
-
- s = domain;
- dn = talloc_strdup(memctx, "dc=");
-
- while ((p = strchr(s, '.'))) {
- l = p - s;
- dn = talloc_asprintf_append_buffer(dn, "%.*s,dc=", l, s);
- if (!dn) {
- return ENOMEM;
- }
- s = p + 1;
- }
- dn = talloc_strdup_append_buffer(dn, s);
- if (!dn) {
- return ENOMEM;
- }
-
- *basedn = dn;
- return EOK;
-}
-
int ipa_get_options(TALLOC_CTX *memctx,
struct confdb_ctx *cdb,
const char *conf_path,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 54da6c8a3..77628189c 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -32,7 +32,7 @@ struct ipa_service {
struct krb5_service *krb5_service;
};
-/* the following define is used to keep track of the options in the ldap
+/* the following defines are used to keep track of the options in the ldap
* module, so that if they change and ipa is not updated correspondingly
* this will trigger a runtime abort error */
#define IPA_OPTS_BASIC_TEST 32
@@ -64,6 +64,8 @@ struct ipa_options {
struct krb5_ctx *auth_ctx;
};
+int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn);
+
/* options parsers */
int ipa_get_options(TALLOC_CTX *memctx,
struct confdb_ctx *cdb,
diff --git a/src/providers/ipa/ipa_utils.c b/src/providers/ipa/ipa_utils.c
new file mode 100644
index 000000000..504a8772c
--- /dev/null
+++ b/src/providers/ipa/ipa_utils.c
@@ -0,0 +1,57 @@
+/*
+ SSSD
+
+ IPA Provider Utility Functions
+
+ Authors:
+ Simo Sorce <ssorce@redhat.com>, Sumit Bose <sbose@redhat.com>
+
+ Copyright (C) 2009-2010 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "providers/ipa/ipa_common.h"
+
+int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn)
+{
+ const char *s;
+ char *dn;
+ char *p;
+ int l;
+
+ if (!domain || !basedn) {
+ return EINVAL;
+ }
+
+ s = domain;
+ dn = talloc_strdup(memctx, "dc=");
+
+ while ((p = strchr(s, '.'))) {
+ l = p - s;
+ dn = talloc_asprintf_append_buffer(dn, "%.*s,dc=", l, s);
+ if (!dn) {
+ return ENOMEM;
+ }
+ s = p + 1;
+ }
+ dn = talloc_strdup_append_buffer(dn, s);
+ if (!dn) {
+ return ENOMEM;
+ }
+
+ *basedn = dn;
+ return EOK;
+}