summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2014-01-08 17:12:17 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-01-09 12:32:03 +0100
commit91ab35daf713e146dfae53a67f6b86b424c897d5 (patch)
tree5d44255c3d6be2b6712b96a966f338b2fa938608
parent6ac0feca0cdc66fc8d8a612e25d37a49d27c0233 (diff)
downloadsssd-91ab35daf713e146dfae53a67f6b86b424c897d5.tar.gz
sssd-91ab35daf713e146dfae53a67f6b86b424c897d5.tar.xz
sssd-91ab35daf713e146dfae53a67f6b86b424c897d5.zip
LDAP: Add a new error code for malformed access control filtersssd-1.11.2-23.el7
https://fedorahosted.org/sssd/ticket/2164 The patch adds a new error code and special cases the new code so that access is denied and a nicer log message is shown.
-rw-r--r--src/providers/ldap/sdap_access.c8
-rw-r--r--src/providers/ldap/sdap_async.c12
-rw-r--r--src/providers/ldap/sdap_async_groups_ad.c2
-rw-r--r--src/providers/ldap/sdap_async_initgroups_ad.c4
-rw-r--r--src/util/util_errors.c1
-rw-r--r--src/util/util_errors.h1
6 files changed, 18 insertions, 10 deletions
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index f0df24e7f..29e83eb43 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -855,9 +855,15 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
}
} else if (dp_error == DP_ERR_OFFLINE) {
ret = sdap_access_filter_decide_offline(req);
+ } else if (ret == ERR_INVALID_FILTER) {
+ sss_log(SSS_LOG_ERR,
+ "Malformed access control filter [%s]\n", state->filter);
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Malformed access control filter [%s]\n", state->filter));
+ ret = ERR_ACCESS_DENIED;
} else {
DEBUG(1, ("sdap_get_generic_send() returned error [%d][%s]\n",
- ret, strerror(ret)));
+ ret, sss_strerror(ret)));
}
goto done;
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index e905d2dd6..367007bde 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -1306,9 +1306,9 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req)
sss_log(SSS_LOG_ERR, "LDAP connection error, %s",
sss_ldap_err2string(lret));
}
- }
-
- else {
+ } else if (lret == LDAP_FILTER_ERROR) {
+ ret = ERR_INVALID_FILTER;
+ } else {
ret = EIO;
}
goto done;
@@ -1570,7 +1570,7 @@ static void sdap_get_generic_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret) {
DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
- ret, strerror(ret)));
+ ret, sss_strerror(ret)));
tevent_req_error(req, ret);
return;
}
@@ -1790,7 +1790,7 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret) {
DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
- ret, strerror(ret)));
+ ret, sss_strerror(ret)));
tevent_req_error(req, ret);
return;
}
@@ -2049,7 +2049,7 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret) {
DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
- ret, strerror(ret)));
+ ret, sss_strerror(ret)));
tevent_req_error(req, ret);
return;
}
diff --git a/src/providers/ldap/sdap_async_groups_ad.c b/src/providers/ldap/sdap_async_groups_ad.c
index 9b61c697d..6a8a4fd13 100644
--- a/src/providers/ldap/sdap_async_groups_ad.c
+++ b/src/providers/ldap/sdap_async_groups_ad.c
@@ -183,7 +183,7 @@ sdap_get_ad_match_rule_members_step(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- ("LDAP search failed: [%s]\n", strerror(ret)));
+ ("LDAP search failed: [%s]\n", sss_strerror(ret)));
tevent_req_error(req, ret);
return;
}
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index 8f8f0a4cc..724f308da 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -208,7 +208,7 @@ sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- ("LDAP search failed: [%s]\n", strerror(ret)));
+ ("LDAP search failed: [%s]\n", sss_strerror(ret)));
goto error;
}
@@ -383,7 +383,7 @@ static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq)
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- ("LDAP search failed: [%s]\n", strerror(ret)));
+ ("LDAP search failed: [%s]\n", sss_strerror(ret)));
goto done;
}
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 114c8b04f..633257e8d 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -51,6 +51,7 @@ struct err_string error_to_str[] = {
{ "Entry not found" }, /* ERR_NOT_FOUND */
{ "Domain not found" }, /* ERR_DOMAIN_NOT_FOUND */
{ "Missing configuration file" }, /* ERR_MISSING_CONF */
+ { "Malformed search filter" }, /* ERR_INVALID_FILTER, */
};
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index bca45f392..133208503 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -73,6 +73,7 @@ enum sssd_errors {
ERR_NOT_FOUND,
ERR_DOMAIN_NOT_FOUND,
ERR_MISSING_CONF,
+ ERR_INVALID_FILTER,
ERR_LAST /* ALWAYS LAST */
};