Fix simple access group control in case-insensitive domains

https://fedorahosted.org/sssd/ticket/1713 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
author: Jakub Hrozek <jhrozek@redhat.com> 2013-04-11 09:18:56 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-04-15 14:56:45 +0200
commit: 8e195a545d41647e591c1d06082133cbd25dc0a4 (patch)
tree: 6b04cd814d97b677db67c35f77ed1a487a7096b3
parent: eeee8d4e089830d337f217ec4921421ab448a8ec (diff)
download: sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.tar.gz
sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.tar.xz
sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.zip
2 files changed, 11 insertions, 18 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index 6475e773e..663b7ceac 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -90,8 +90,8 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
 }
 
 static errno_t
-simple_check_groups(struct simple_ctx *ctx, const char *username,
-                    const char **group_names, bool *access_granted)
+simple_check_groups(struct simple_ctx *ctx, const char **group_names,
+                    bool *access_granted)
 {
     bool matched;
     int i, j;
@@ -357,7 +357,6 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
     struct ldb_message **groups;
     int i;
     gid_t gid;
-    char *cname;
 
     req = tevent_req_create(mem_ctx, &state,
                             struct simple_check_groups_state);
@@ -366,18 +365,12 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
     state->ev = ev;
     state->ctx = ctx;
 
-    cname = sss_get_cased_name(state, username, ctx->domain->case_sensitive);
-    if (!cname) {
-        ret = ENOMEM;
-        goto done;
-    }
-
-    DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", cname));
+    DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", username));
 
     ret = sysdb_search_user_by_name(state, ctx->domain->sysdb, ctx->domain,
-                                    cname, attrs, &user);
+                                    username, attrs, &user);
     if (ret == ENOENT) {
-        DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", cname));
+        DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", username));
         goto done;
     } else if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
@@ -395,7 +388,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
 
     DEBUG(SSSDBG_TRACE_FUNC,
           ("User %s is a member of %d supplemental groups\n",
-           cname, group_count));
+           username, group_count));
 
     /* One extra space for terminator, one extra space for private group */
     state->group_names = talloc_zero_array(state, const char *, group_count + 2);
@@ -421,7 +414,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
 
     gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);
     if (!gid) {
-        DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", cname));
+        DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", username));
         ret = EINVAL;
         goto done;
     }
@@ -696,8 +689,8 @@ static void simple_access_check_done(struct tevent_req *subreq)
         return;
     }
 
-    ret = simple_check_groups(state->ctx, state->username,
-                              state->group_names, &state->access_granted);
+    ret = simple_check_groups(state->ctx, state->group_names,
+                              &state->access_granted);
     if (ret != EOK) {
         tevent_req_error(req, ret);
         return;
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
index 1c2d1a9ea..4c7840026 100644
--- a/src/tests/simple_access-tests.c
+++ b/src/tests/simple_access-tests.c
@@ -480,7 +480,7 @@ START_TEST(test_group_case)
     test_ctx->ctx->deny_groups = NULL;
 
     req = simple_access_check_send(test_ctx, test_ctx->ev,
-                                   test_ctx->ctx, "U1");
+                                   test_ctx->ctx, "u1");
     fail_unless(test_ctx != NULL, "Cannot create request\n");
     tevent_req_set_callback(req, simple_access_check_done, test_ctx);
 
@@ -495,7 +495,7 @@ START_TEST(test_group_case)
     test_ctx->ctx->domain->case_sensitive = false;
 
     req = simple_access_check_send(test_ctx, test_ctx->ev,
-                                   test_ctx->ctx, "U1");
+                                   test_ctx->ctx, "u1");
     fail_unless(test_ctx != NULL, "Cannot create request\n");
     tevent_req_set_callback(req, simple_access_check_done, test_ctx);
author	Jakub Hrozek <jhrozek@redhat.com>	2013-04-11 09:18:56 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-04-15 14:56:45 +0200
commit	8e195a545d41647e591c1d06082133cbd25dc0a4 (patch)
tree	6b04cd814d97b677db67c35f77ed1a487a7096b3
parent	eeee8d4e089830d337f217ec4921421ab448a8ec (diff)
download	sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.tar.gz sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.tar.xz sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.zip