diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-07 18:02:04 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-25 21:02:43 +0200 |
commit | efe6b4a9d374339cac2528cdeb43720957c6b7c9 (patch) | |
tree | 354549682b9d2333bff82177176af077bd6b805a /src/providers/ad/ad_init.c | |
parent | 8a05fd320a44636d120a18eb7e9956c7b35b3138 (diff) | |
download | sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.tar.gz sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.tar.xz sssd-efe6b4a9d374339cac2528cdeb43720957c6b7c9.zip |
AD: Use the ad_access_filter if it's set
Related:
https://fedorahosted.org/sssd/ticket/2082
Currently the AD access control only checks if an account has been
expired. This patch amends the logic so that if ad_access_filter is set,
it is used automatically.
Diffstat (limited to 'src/providers/ad/ad_init.c')
-rw-r--r-- | src/providers/ad/ad_init.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c index c829cc861..d744c2a05 100644 --- a/src/providers/ad/ad_init.c +++ b/src/providers/ad/ad_init.c @@ -366,6 +366,7 @@ sssm_ad_access_init(struct be_ctx *bectx, errno_t ret; struct ad_access_ctx *access_ctx; struct ad_id_ctx *ad_id_ctx; + const char *filter; access_ctx = talloc_zero(bectx, struct ad_access_ctx); if (!access_ctx) return ENOMEM; @@ -392,10 +393,27 @@ sssm_ad_access_init(struct be_ctx *bectx, ret = ENOMEM; goto fail; } - access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx; + + /* If ad_access_filter is set, the value of ldap_acess_order is + * expire, filter, otherwise only expire + */ access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE; - access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY; + filter = dp_opt_get_cstring(access_ctx->ad_options, AD_ACCESS_FILTER); + if (filter != NULL) { + access_ctx->sdap_access_ctx->filter = sdap_get_access_filter( + access_ctx->sdap_access_ctx, + filter); + if (access_ctx->sdap_access_ctx->filter == NULL) { + ret = ENOMEM; + goto fail; + } + + access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER; + access_ctx->sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY; + } else { + access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY; + } *ops = &ad_access_ops; *pvt_data = access_ctx; |