Add ldap_access_filter option

This option (applicable to access_provider=ldap) allows the admin
to set an additional LDAP search filter that must match in order
for a user to be granted access to the system.

Common examples for this would be limiting access to users by in a
particular group, for example:
ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com

1 files changed, 56 insertions, 0 deletions

diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index df2956ec6..5c6f4b790 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -25,6 +25,7 @@
 #include "providers/child_common.h"
 #include "providers/ldap/ldap_common.h"
 #include "providers/ldap/sdap_async_private.h"
+#include "providers/ldap/sdap_access.h"
 
 static void sdap_shutdown(struct be_req *req);
 
@@ -46,6 +47,12 @@ struct bet_ops sdap_chpass_ops = {
     .finalize = sdap_shutdown
 };
 
+/* Access Handler */
+struct bet_ops sdap_access_ops = {
+    .handler = sdap_pam_access_handler,
+    .finalize = sdap_shutdown
+};
+
 int sssm_ldap_id_init(struct be_ctx *bectx,
                       struct bet_ops **ops,
                       void **pvt_data)
@@ -55,6 +62,15 @@ int sssm_ldap_id_init(struct be_ctx *bectx,
     const char *dns_service_name;
     int ret;
 
+    /* If we're already set up, just return that */
+    if(bectx->bet_info[BET_ID].mod_name &&
+       strcmp("LDAP", bectx->bet_info[BET_ID].mod_name)) {
+        DEBUG(8, ("Re-using sdap_id_ctx for this provider\n"));
+        *ops = bectx->bet_info[BET_ID].bet_ops;
+        *pvt_data = bectx->bet_info[BET_ID].pvt_bet_data;
+        return EOK;
+    }
+
     ctx = talloc_zero(bectx, struct sdap_id_ctx);
     if (!ctx) return ENOMEM;
 
@@ -186,6 +202,46 @@ int sssm_ldap_chpass_init(struct be_ctx *bectx,
     return ret;
 }
 
+int sssm_ldap_access_init(struct be_ctx *bectx,
+                          struct bet_ops **ops,
+                          void **pvt_data)
+{
+    int ret;
+    struct sdap_access_ctx *access_ctx;
+
+    access_ctx = talloc_zero(bectx, struct sdap_access_ctx);
+    if(access_ctx == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    ret = sssm_ldap_id_init(bectx, ops, (void **)&access_ctx->id_ctx);
+    if (ret != EOK) {
+        DEBUG(1, ("sssm_ldap_id_init failed.\n"));
+        goto done;
+    }
+
+    access_ctx->filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
+                                            SDAP_ACCESS_FILTER);
+    if (access_ctx->filter == NULL) {
+        /* It's okay if this is NULL. In that case we will simply act
+         * like the 'deny' provider.
+         */
+        DEBUG(0, ("Warning: access_provider=ldap set, "
+                  "but no ldap_access_filter configured. "
+                  "All domain users will be denied access.\n"));
+    }
+
+    *ops = &sdap_access_ops;
+    *pvt_data = access_ctx;
+
+done:
+    if (ret != EOK) {
+        talloc_free(access_ctx);
+    }
+    return ret;
+}
+
 static void sdap_shutdown(struct be_req *req)
 {
     /* TODO: Clean up any internal data */