summaryrefslogtreecommitdiffstats
path: root/src/providers/ad/ad_init.c
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-10-07 18:02:04 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-10-25 22:04:11 +0200
commit9dd62f094fb4c1bfb04128de1c3ec20933603046 (patch)
treeeded847415955a60fbad0a712c896f0671c85dee /src/providers/ad/ad_init.c
parente37cbdd9be139b9949024c94ae21c12b36a6c180 (diff)
downloadsssd-9dd62f094fb4c1bfb04128de1c3ec20933603046.tar.gz
sssd-9dd62f094fb4c1bfb04128de1c3ec20933603046.tar.xz
sssd-9dd62f094fb4c1bfb04128de1c3ec20933603046.zip
AD: Use the ad_access_filter if it's set
Related: https://fedorahosted.org/sssd/ticket/2082 Currently the AD access control only checks if an account has been expired. This patch amends the logic so that if ad_access_filter is set, it is used automatically.
Diffstat (limited to 'src/providers/ad/ad_init.c')
-rw-r--r--src/providers/ad/ad_init.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index c829cc861..d744c2a05 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -366,6 +366,7 @@ sssm_ad_access_init(struct be_ctx *bectx,
errno_t ret;
struct ad_access_ctx *access_ctx;
struct ad_id_ctx *ad_id_ctx;
+ const char *filter;
access_ctx = talloc_zero(bectx, struct ad_access_ctx);
if (!access_ctx) return ENOMEM;
@@ -392,10 +393,27 @@ sssm_ad_access_init(struct be_ctx *bectx,
ret = ENOMEM;
goto fail;
}
-
access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx;
+
+ /* If ad_access_filter is set, the value of ldap_acess_order is
+ * expire, filter, otherwise only expire
+ */
access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
- access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
+ filter = dp_opt_get_cstring(access_ctx->ad_options, AD_ACCESS_FILTER);
+ if (filter != NULL) {
+ access_ctx->sdap_access_ctx->filter = sdap_get_access_filter(
+ access_ctx->sdap_access_ctx,
+ filter);
+ if (access_ctx->sdap_access_ctx->filter == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER;
+ access_ctx->sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY;
+ } else {
+ access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
+ }
*ops = &ad_access_ops;
*pvt_data = access_ctx;
generated by cgit (git 2.34.1) at 2024-05-07 23:16:30 +0000