diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-06 20:23:07 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-25 22:04:11 +0200 |
commit | 0b23970978de5c1088a5dbdd6012800b4db94572 (patch) | |
tree | cd8b9ba6865318f825d3a9246773d713545ab016 /src/providers/ipa | |
parent | d32961c07381a5518a15e8e83d3475445d871410 (diff) | |
download | sssd-0b23970978de5c1088a5dbdd6012800b4db94572.tar.gz sssd-0b23970978de5c1088a5dbdd6012800b4db94572.tar.xz sssd-0b23970978de5c1088a5dbdd6012800b4db94572.zip |
LDAP: Amend sdap_access_check to allow any connection
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
Diffstat (limited to 'src/providers/ipa')
-rw-r--r-- | src/providers/ipa/ipa_access.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 58539f4c6..704419484 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -78,6 +78,7 @@ void ipa_access_handler(struct be_req *be_req) struct pam_data *pd; struct ipa_access_ctx *ipa_access_ctx; struct tevent_req *req; + struct sss_domain_info *dom; struct be_ctx *be_ctx = be_req_get_be_ctx(be_req); pd = talloc_get_type(be_req_get_data(be_req), struct pam_data); @@ -85,13 +86,21 @@ void ipa_access_handler(struct be_req *be_req) ipa_access_ctx = talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); + dom = be_ctx->domain; + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + /* Subdomain request, verify subdomain */ + dom = find_subdomain_by_name(be_ctx->domain, pd->domain, true); + } + /* First, verify that this account isn't locked. * We need to do this in case the auth phase was * skipped (such as during GSSAPI single-sign-on * or SSH public key exchange. */ - req = sdap_access_send(be_req, be_ctx->ev, be_ctx, be_ctx->domain, - ipa_access_ctx->sdap_access_ctx, pd); + req = sdap_access_send(be_req, be_ctx->ev, be_ctx, dom, + ipa_access_ctx->sdap_access_ctx, + ipa_access_ctx->sdap_access_ctx->id_ctx->conn, + pd); if (!req) { be_req_terminate(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL); return; |