diff options
author | Sumit Bose <sbose@redhat.com> | 2010-03-25 16:21:12 +0100 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-03-25 12:14:14 -0400 |
commit | beaaf02fe968b216d0633c92592a1fd9daad30ec (patch) | |
tree | b8633c3ee42f1c902f0d8bec834d08fc35111d5f | |
parent | 6bcdb688a3d1319ded1073f08e0350de9e5ba94e (diff) | |
download | sssd-beaaf02fe968b216d0633c92592a1fd9daad30ec.tar.gz sssd-beaaf02fe968b216d0633c92592a1fd9daad30ec.tar.xz sssd-beaaf02fe968b216d0633c92592a1fd9daad30ec.zip |
Fix LDAP search paths for IPA HBAC
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC
- move domain_to_basedn() to a separate file to simplify the build of
a test
-rw-r--r-- | src/Makefile.am | 3 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.c | 35 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.h | 1 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.c | 27 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 4 | ||||
-rw-r--r-- | src/providers/ipa/ipa_utils.c | 57 |
6 files changed, 84 insertions, 43 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 6d46cdab5..3a156cb5c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -631,12 +631,14 @@ auth_tests_LDADD = \ libsss_test_common.la ipa_ldap_opt_tests_SOURCES = \ + providers/ipa/ipa_utils.c \ tests/ipa_ldap_opt-tests.c ipa_ldap_opt_tests_CFLAGS = \ $(AM_CFLAGS) \ $(CHECK_CFLAGS) ipa_ldap_opt_tests_LDADD = \ $(CHECK_LIBS) \ + $(TALLOC_LIBS) \ libsss_test_common.la simple_access_tests_SOURCES = \ @@ -769,6 +771,7 @@ libsss_ipa_la_SOURCES = \ providers/child_common.c \ providers/ipa/ipa_init.c \ providers/ipa/ipa_common.c \ + providers/ipa/ipa_utils.c \ providers/ipa/ipa_auth.c \ providers/ipa/ipa_access.c \ providers/ipa/ipa_timerules.c \ diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 7dfe1fd90..55a7133ca 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -48,8 +48,8 @@ #define IPA_HOST_CATEGORY "hostCategory" #define IPA_CN "cn" -#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,dc=%s" -#define IPA_HBAC_BASE_TMPL "cn=hbac,dc=%s" +#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,%s" +#define IPA_HBAC_BASE_TMPL "cn=hbac,%s" #define SYSDB_HBAC_BASE_TMPL "cn=hbac,"SYSDB_TMPL_CUSTOM_BASE @@ -340,7 +340,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx, bool offline, struct sdap_id_ctx *sdap_ctx, struct sysdb_ctx *sysdb, - const char *ipa_domain, + const char *basedn, const char **hostnames) { struct tevent_req *req = NULL; @@ -349,7 +349,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx, int ret; int i; - if (hostnames == NULL || ipa_domain == NULL) { + if (hostnames == NULL || basedn == NULL) { DEBUG(1, ("Missing hostnames or domain.\n")); return NULL; } @@ -394,7 +394,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx, } state->host_search_base = talloc_asprintf(state, IPA_HOST_BASE_TMPL, - ipa_domain); + basedn); if (state->host_search_base == NULL) { DEBUG(1, ("Failed to create host search base.\n")); ret = ENOMEM; @@ -832,7 +832,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx, bool offline, struct sdap_id_ctx *sdap_ctx, struct sysdb_ctx *sysdb, - const char *ipa_domain, + const char *basedn, const char *host_dn, const char **memberof) { @@ -842,7 +842,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx, int ret; int i; - if (host_dn == NULL || ipa_domain == NULL) { + if (host_dn == NULL || basedn == NULL) { DEBUG(1, ("Missing host_dn or domain.\n")); return NULL; } @@ -867,7 +867,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx, state->current_item = 0; state->hbac_search_base = talloc_asprintf(state, IPA_HBAC_BASE_TMPL, - ipa_domain); + basedn); if (state->hbac_search_base == NULL) { DEBUG(1, ("Failed to create HBAC search base.\n")); ret = ENOMEM; @@ -1642,6 +1642,7 @@ void ipa_access_handler(struct be_req *be_req) int pam_status = PAM_SYSTEM_ERR; struct ipa_access_ctx *ipa_access_ctx; const char *hostlist[3]; + int ret; pd = talloc_get_type(be_req->req_data, struct pam_data); @@ -1658,6 +1659,13 @@ void ipa_access_handler(struct be_req *be_req) hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; + ret = domain_to_basedn(hbac_ctx, + dp_opt_get_string(hbac_ctx->ipa_options, IPA_DOMAIN), + &hbac_ctx->ldap_basedn); + if (ret != EOK) { + DEBUG(1, ("domain_to_basedn failed.\n")); + goto fail; + } hbac_ctx->offline = be_is_offline(be_req->be_ctx); DEBUG(9, ("Connection status is [%s].\n", hbac_ctx->offline ? "offline" : @@ -1682,10 +1690,8 @@ void ipa_access_handler(struct be_req *be_req) hostlist[2] = NULL; req = hbac_get_host_info_send(hbac_ctx, be_req->be_ctx->ev, - hbac_ctx->offline, - hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb, - dp_opt_get_string(hbac_ctx->ipa_options, - IPA_DOMAIN), + hbac_ctx->offline, hbac_ctx->sdap_ctx, + be_req->be_ctx->sysdb, hbac_ctx->ldap_basedn, hostlist); if (req == NULL) { DEBUG(1, ("hbac_get_host_info_send failed.\n")); @@ -1744,9 +1750,8 @@ static void hbac_get_host_info_done(struct tevent_req *req) } req = hbac_get_rules_send(hbac_ctx, be_req->be_ctx->ev, hbac_ctx->offline, hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb, - dp_opt_get_string(hbac_ctx->ipa_options, - IPA_DOMAIN), - local_hhi->dn, local_hhi->memberof); + hbac_ctx->ldap_basedn, local_hhi->dn, + local_hhi->memberof); if (req == NULL) { DEBUG(1, ("hbac_get_rules_send failed.\n")); goto fail; diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h index bd221c574..e3ba5c30c 100644 --- a/src/providers/ipa/ipa_access.h +++ b/src/providers/ipa/ipa_access.h @@ -59,6 +59,7 @@ struct hbac_ctx { size_t groups_count; const char **groups; bool offline; + char *ldap_basedn; }; void ipa_access_handler(struct be_req *be_req); diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2ad63d055..bed0666bd 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -123,33 +123,6 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; -int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn) -{ - const char *s; - char *dn; - char *p; - int l; - - s = domain; - dn = talloc_strdup(memctx, "dc="); - - while ((p = strchr(s, '.'))) { - l = p - s; - dn = talloc_asprintf_append_buffer(dn, "%.*s,dc=", l, s); - if (!dn) { - return ENOMEM; - } - s = p + 1; - } - dn = talloc_strdup_append_buffer(dn, s); - if (!dn) { - return ENOMEM; - } - - *basedn = dn; - return EOK; -} - int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 54da6c8a3..77628189c 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -32,7 +32,7 @@ struct ipa_service { struct krb5_service *krb5_service; }; -/* the following define is used to keep track of the options in the ldap +/* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ #define IPA_OPTS_BASIC_TEST 32 @@ -64,6 +64,8 @@ struct ipa_options { struct krb5_ctx *auth_ctx; }; +int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn); + /* options parsers */ int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, diff --git a/src/providers/ipa/ipa_utils.c b/src/providers/ipa/ipa_utils.c new file mode 100644 index 000000000..504a8772c --- /dev/null +++ b/src/providers/ipa/ipa_utils.c @@ -0,0 +1,57 @@ +/* + SSSD + + IPA Provider Utility Functions + + Authors: + Simo Sorce <ssorce@redhat.com>, Sumit Bose <sbose@redhat.com> + + Copyright (C) 2009-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + + +#include "providers/ipa/ipa_common.h" + +int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn) +{ + const char *s; + char *dn; + char *p; + int l; + + if (!domain || !basedn) { + return EINVAL; + } + + s = domain; + dn = talloc_strdup(memctx, "dc="); + + while ((p = strchr(s, '.'))) { + l = p - s; + dn = talloc_asprintf_append_buffer(dn, "%.*s,dc=", l, s); + if (!dn) { + return ENOMEM; + } + s = p + 1; + } + dn = talloc_strdup_append_buffer(dn, s); + if (!dn) { + return ENOMEM; + } + + *basedn = dn; + return EOK; +} |