summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-10-25 14:15:02 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-10-30 22:45:26 +0100
commit55206e06bcfa0322cd817d34457e330545d6b877 (patch)
treecc6c4654cff375d79ec822d3738f46592556e7c0
parent05f6866b89f790e25510b7eeca88ded617294011 (diff)
downloadsssd-55206e06bcfa0322cd817d34457e330545d6b877.tar.gz
sssd-55206e06bcfa0322cd817d34457e330545d6b877.tar.xz
sssd-55206e06bcfa0322cd817d34457e330545d6b877.zip
LDAP: Check all search bases during nested group processing
-rw-r--r--src/providers/ldap/sdap_async_nested_groups.c55
1 files changed, 42 insertions, 13 deletions
diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c
index fafbb36ba..3338d173e 100644
--- a/src/providers/ldap/sdap_async_nested_groups.c
+++ b/src/providers/ldap/sdap_async_nested_groups.c
@@ -392,6 +392,42 @@ done:
return ret;
}
+static bool
+sdap_nested_member_is_ent(struct sdap_nested_group_ctx *group_ctx,
+ const char *dn, char **filter, bool is_user)
+{
+ struct sdap_domain *sditer = NULL;
+ bool ret = false;
+ struct sdap_search_base **search_bases;
+
+ DLIST_FOR_EACH(sditer, group_ctx->opts->sdom) {
+ search_bases = is_user ? sditer->user_search_bases : \
+ sditer->group_search_bases;
+
+ ret = sss_ldap_dn_in_search_bases(group_ctx, dn, search_bases,
+ filter);
+ if (ret == true) {
+ break;
+ }
+ }
+
+ return ret;
+}
+
+static inline bool
+sdap_nested_member_is_user(struct sdap_nested_group_ctx *group_ctx,
+ const char *dn, char **filter)
+{
+ return sdap_nested_member_is_ent(group_ctx, dn, filter, true);
+}
+
+static inline bool
+sdap_nested_member_is_group(struct sdap_nested_group_ctx *group_ctx,
+ const char *dn, char **filter)
+{
+ return sdap_nested_member_is_ent(group_ctx, dn, filter, false);
+}
+
static errno_t
sdap_nested_group_split_members(TALLOC_CTX *mem_ctx,
struct sdap_nested_group_ctx *group_ctx,
@@ -475,13 +511,11 @@ sdap_nested_group_split_members(TALLOC_CTX *mem_ctx,
/* try to determine type by dn */
if (type == SDAP_NESTED_GROUP_DN_UNKNOWN) {
/* user */
- is_user = sss_ldap_dn_in_search_bases(tmp_ctx, dn,
- group_ctx->user_search_bases,
- &user_filter);
+ is_user = sdap_nested_member_is_user(group_ctx, dn,
+ &user_filter);
- is_group = sss_ldap_dn_in_search_bases(tmp_ctx, dn,
- group_ctx->group_search_bases,
- &group_filter);
+ is_group = sdap_nested_member_is_group(group_ctx, dn,
+ &group_filter);
if (is_user && is_group) {
/* search bases overlap */
@@ -2031,7 +2065,6 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
size_t num_entries = 0;
size_t i, j;
bool member_found;
- bool bret;
errno_t ret;
req = tevent_req_callback_data(subreq, struct tevent_req);
@@ -2110,9 +2143,7 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
/* we found a user */
/* skip the user if it is not amongst configured search bases */
- bret = sss_ldap_dn_in_search_bases(state, orig_dn,
- opts->sdom->user_search_bases, NULL);
- if (!bret) {
+ if (!sdap_nested_member_is_user(state->group_ctx, orig_dn, NULL)) {
continue;
}
@@ -2137,9 +2168,7 @@ sdap_nested_group_deref_direct_process(struct tevent_req *subreq)
}
/* skip the group if it is not amongst configured search bases */
- bret = sss_ldap_dn_in_search_bases(state, orig_dn,
- opts->sdom->group_search_bases, NULL);
- if (!bret) {
+ if (!sdap_nested_member_is_group(state->group_ctx, orig_dn, NULL)) {
continue;
}