summaryrefslogtreecommitdiffstats
path: root/src/providers/ldap/sdap_access.c
diff options
context:
space:
mode:
authorNikolai Kondrashov <Nikolai.Kondrashov@redhat.com>2014-02-12 10:12:59 -0500
committerJakub Hrozek <jhrozek@redhat.com>2014-02-12 22:31:02 +0100
commit83bf46f4066e3d5e838a32357c201de9bd6ecdfd (patch)
tree65f491f7661bd533398625e015f2b5e5bff3badf /src/providers/ldap/sdap_access.c
parent45a1d9d597df977354428440aeff11c6a0a947fe (diff)
downloadsssd-83bf46f4066e3d5e838a32357c201de9bd6ecdfd.tar.gz
sssd-83bf46f4066e3d5e838a32357c201de9bd6ecdfd.tar.xz
sssd-83bf46f4066e3d5e838a32357c201de9bd6ecdfd.zip
Update DEBUG* invocations to use new levels
Use a script to update DEBUG* macro invocations, which use literal numbers for levels, to use bitmask macros instead: grep -rl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e 'use strict; use File::Slurp; my @map=qw" SSSDBG_FATAL_FAILURE SSSDBG_CRIT_FAILURE SSSDBG_OP_FAILURE SSSDBG_MINOR_FAILURE SSSDBG_CONF_SETTINGS SSSDBG_FUNC_DATA SSSDBG_TRACE_FUNC SSSDBG_TRACE_LIBS SSSDBG_TRACE_INTERNAL SSSDBG_TRACE_ALL "; my $text=read_file(\*STDIN); my $repl; $text=~s/ ^ ( .* \b (DEBUG|DEBUG_PAM_DATA|DEBUG_GR_MEM) \s* \(\s* )( [0-9] )( \s*, ) ( \s* ) ( .* ) $ / $repl = $1.$map[$3].$4.$5.$6, length($repl) <= 80 ? $repl : $1.$map[$3].$4."\n".(" " x length($1)).$6 /xmge; print $text; ' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'src/providers/ldap/sdap_access.c')
-rw-r--r--src/providers/ldap/sdap_access.c172
1 files changed, 100 insertions, 72 deletions
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 8addbdd18..65876ba41 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -91,7 +91,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx);
if (req == NULL) {
- DEBUG(1, "tevent_req_create failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
return NULL;
}
@@ -103,10 +103,12 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
state->conn = conn;
state->current_rule = 0;
- DEBUG(6, "Performing access check for user [%s]\n", pd->user);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Performing access check for user [%s]\n", pd->user);
if (access_ctx->access_rule[0] == LDAP_ACCESS_EMPTY) {
- DEBUG(3, "No access rules defined, access denied.\n");
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "No access rules defined, access denied.\n");
ret = ERR_ACCESS_DENIED;
goto done;
}
@@ -129,7 +131,8 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
}
if (res->count != 1) {
- DEBUG(1, "Invalid response from sysdb_get_user_attr\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Invalid response from sysdb_get_user_attr\n");
ret = EINVAL;
goto done;
}
@@ -172,7 +175,7 @@ static errno_t check_next_rule(struct sdap_access_req_ctx *state,
state->pd->user,
state->user_entry);
if (subreq == NULL) {
- DEBUG(1, "sdap_access_filter_send failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_filter_send failed.\n");
return ENOMEM;
}
@@ -193,7 +196,8 @@ static errno_t check_next_rule(struct sdap_access_req_ctx *state,
break;
default:
- DEBUG(1, "Unexpected access rule type. Access denied.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unexpected access rule type. Access denied.\n");
ret = ERR_ACCESS_DENIED;
}
@@ -251,17 +255,18 @@ static errno_t sdap_account_expired_shadow(struct pam_data *pd,
long sp_expire;
long today;
- DEBUG(6, "Performing access shadow check for user [%s]\n", pd->user);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Performing access shadow check for user [%s]\n", pd->user);
val = ldb_msg_find_attr_as_string(user_entry, SYSDB_SHADOWPW_EXPIRE, NULL);
if (val == NULL) {
- DEBUG(3, "Shadow expire attribute not found. "
+ DEBUG(SSSDBG_MINOR_FAILURE, "Shadow expire attribute not found. "
"Access will be granted.\n");
return EOK;
}
ret = string_to_shadowpw_days(val, &sp_expire);
if (ret != EOK) {
- DEBUG(1, "Failed to retrieve shadow expire date.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve shadow expire date.\n");
return ret;
}
@@ -272,7 +277,7 @@ static errno_t sdap_account_expired_shadow(struct pam_data *pd,
sizeof(SHADOW_EXPIRE_MSG),
(const uint8_t *) SHADOW_EXPIRE_MSG);
if (ret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCOUNT_EXPIRED;
@@ -300,7 +305,8 @@ static bool ad_account_expired(uint64_t expiration_time)
now = time(NULL);
if (now == ((time_t) -1)) {
err = errno;
- DEBUG(1, "time failed [%d][%s].\n", err, strerror(err));
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "time failed [%d][%s].\n", err, strerror(err));
return true;
}
@@ -321,11 +327,12 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd,
uint64_t expiration_time;
int ret;
- DEBUG(6, "Performing AD access check for user [%s]\n", pd->user);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Performing AD access check for user [%s]\n", pd->user);
uac = ldb_msg_find_attr_as_uint(user_entry, SYSDB_AD_USER_ACCOUNT_CONTROL,
0);
- DEBUG(9, "User account control for user [%s] is [%X].\n",
+ DEBUG(SSSDBG_TRACE_ALL, "User account control for user [%s] is [%X].\n",
pd->user, uac);
expiration_time = ldb_msg_find_attr_as_uint64(user_entry,
@@ -340,7 +347,7 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd,
sizeof(AD_DISABLE_MESSAGE),
(const uint8_t *) AD_DISABLE_MESSAGE);
if (ret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCESS_DENIED;
@@ -351,7 +358,7 @@ static errno_t sdap_account_expired_ad(struct pam_data *pd,
sizeof(AD_EXPIRED_MESSAGE),
(const uint8_t *) AD_EXPIRED_MESSAGE);
if (ret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCOUNT_EXPIRED;
@@ -368,10 +375,11 @@ static errno_t sdap_account_expired_rhds(struct pam_data *pd,
bool locked;
int ret;
- DEBUG(6, "Performing RHDS access check for user [%s]\n", pd->user);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Performing RHDS access check for user [%s]\n", pd->user);
locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NS_ACCOUNT_LOCK, false);
- DEBUG(9, "Account for user [%s] is%s locked.\n", pd->user,
+ DEBUG(SSSDBG_TRACE_ALL, "Account for user [%s] is%s locked.\n", pd->user,
locked ? "" : " not" );
if (locked) {
@@ -379,7 +387,7 @@ static errno_t sdap_account_expired_rhds(struct pam_data *pd,
sizeof(RHDS_LOCK_MSG),
(const uint8_t *) RHDS_LOCK_MSG);
if (ret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCESS_DENIED;
@@ -400,7 +408,8 @@ static bool nds_check_expired(const char *exp_time_str)
time_t now;
if (exp_time_str == NULL) {
- DEBUG(9, "ndsLoginExpirationTime is not set, access granted.\n");
+ DEBUG(SSSDBG_TRACE_ALL,
+ "ndsLoginExpirationTime is not set, access granted.\n");
return false;
}
@@ -408,18 +417,21 @@ static bool nds_check_expired(const char *exp_time_str)
end = strptime(exp_time_str, "%Y%m%d%H%M%SZ", &tm);
if (end == NULL) {
- DEBUG(1, "NDS expire date [%s] invalid.\n", exp_time_str);
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "NDS expire date [%s] invalid.\n", exp_time_str);
return true;
}
if (*end != '\0') {
- DEBUG(1, "NDS expire date [%s] contains extra characters.\n",
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "NDS expire date [%s] contains extra characters.\n",
exp_time_str);
return true;
}
expire_time = mktime(&tm);
if (expire_time == -1) {
- DEBUG(1, "mktime failed to convert [%s].\n", exp_time_str);
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "mktime failed to convert [%s].\n", exp_time_str);
return true;
}
@@ -432,7 +444,7 @@ static bool nds_check_expired(const char *exp_time_str)
tzname[1], timezone, daylight, now, expire_time);
if (difftime(now, expire_time) > 0.0) {
- DEBUG(4, "NDS account expired.\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "NDS account expired.\n");
return true;
}
@@ -452,7 +464,8 @@ static bool nds_check_time_map(const struct ldb_val *time_map)
uint8_t mask = 0;
if (time_map == NULL) {
- DEBUG(9, "loginAllowedTimeMap is missing, access granted.\n");
+ DEBUG(SSSDBG_TRACE_ALL,
+ "loginAllowedTimeMap is missing, access granted.\n");
return false;
}
@@ -489,7 +502,7 @@ static bool nds_check_time_map(const struct ldb_val *time_map)
}
if (time_map->data[q.quot] & mask) {
- DEBUG(4, "Access allowed by time map.\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access allowed by time map.\n");
return false;
}
@@ -504,11 +517,12 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
const char *exp_time_str;
const struct ldb_val *time_map;
- DEBUG(6, "Performing NDS access check for user [%s]\n", pd->user);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Performing NDS access check for user [%s]\n", pd->user);
locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NDS_LOGIN_DISABLED,
false);
- DEBUG(9, "Account for user [%s] is%s disabled.\n", pd->user,
+ DEBUG(SSSDBG_TRACE_ALL, "Account for user [%s] is%s disabled.\n", pd->user,
locked ? "" : " not");
if (locked) {
@@ -516,7 +530,7 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
sizeof(NDS_DISABLE_MSG),
(const uint8_t *) NDS_DISABLE_MSG);
if (ret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCESS_DENIED;
@@ -527,7 +541,8 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
NULL);
locked = nds_check_expired(exp_time_str);
- DEBUG(9, "Account for user [%s] is%s expired.\n", pd->user,
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Account for user [%s] is%s expired.\n", pd->user,
locked ? "" : " not");
if (locked) {
@@ -535,7 +550,7 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
sizeof(NDS_EXPIRED_MSG),
(const uint8_t *) NDS_EXPIRED_MSG);
if (ret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCESS_DENIED;
@@ -546,7 +561,8 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
locked = nds_check_time_map(time_map);
- DEBUG(9, "Account for user [%s] is%s locked at this time.\n",
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Account for user [%s] is%s locked at this time.\n",
pd->user, locked ? "" : " not");
if (locked) {
@@ -554,7 +570,7 @@ static errno_t sdap_account_expired_nds(struct pam_data *pd,
sizeof(NDS_TIME_MAP_MSG),
(const uint8_t *) NDS_TIME_MAP_MSG);
if (ret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCESS_DENIED;
@@ -576,33 +592,38 @@ static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx,
expire = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
SDAP_ACCOUNT_EXPIRE_POLICY);
if (expire == NULL) {
- DEBUG(1, "Missing account expire policy. Access denied\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Missing account expire policy. Access denied\n");
return ERR_ACCESS_DENIED;
} else {
if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_SHADOW) == 0) {
ret = sdap_account_expired_shadow(pd, user_entry);
if (ret != EOK) {
- DEBUG(1, "sdap_account_expired_shadow failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_account_expired_shadow failed.\n");
}
} else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_AD) == 0) {
ret = sdap_account_expired_ad(pd, user_entry);
if (ret != EOK) {
- DEBUG(1, "sdap_account_expired_ad failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "sdap_account_expired_ad failed.\n");
}
} else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_RHDS) == 0 ||
strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0 ||
strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_389DS) == 0) {
ret = sdap_account_expired_rhds(pd, user_entry);
if (ret != EOK) {
- DEBUG(1, "sdap_account_expired_rhds failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_account_expired_rhds failed.\n");
}
} else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) {
ret = sdap_account_expired_nds(pd, user_entry);
if (ret != EOK) {
- DEBUG(1, "sdap_account_expired_nds failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_account_expired_nds failed.\n");
}
} else {
- DEBUG(1, "Unsupported LDAP account expire policy [%s]. "
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unsupported LDAP account expire policy [%s]. "
"Access denied.\n", expire);
ret = ERR_ACCESS_DENIED;
}
@@ -653,7 +674,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
if (access_ctx->filter == NULL || *access_ctx->filter == '\0') {
/* If no filter is set, default to restrictive */
- DEBUG(6, "No filter set. Access is denied.\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "No filter set. Access is denied.\n");
ret = ERR_ACCESS_DENIED;
goto done;
}
@@ -666,7 +687,8 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
state->access_ctx = access_ctx;
state->domain = domain;
- DEBUG(6, "Performing access filter check for user [%s]\n", username);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "Performing access filter check for user [%s]\n", username);
state->cached_access = ldb_msg_find_attr_as_bool(user_entry,
SYSDB_LDAP_ACCESS_FILTER,
@@ -681,7 +703,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
/* Perform online operation */
basedn = ldb_msg_find_attr_as_string(user_entry, SYSDB_ORIG_DN, NULL);
if (basedn == NULL) {
- DEBUG(1,"Could not find originalDN for user [%s]\n",
+ DEBUG(SSSDBG_CRIT_FAILURE,"Could not find originalDN for user [%s]\n",
state->username);
ret = EINVAL;
goto done;
@@ -689,7 +711,8 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
state->basedn = talloc_strdup(state, basedn);
if (state->basedn == NULL) {
- DEBUG(1, "Could not allocate memory for originalDN\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not allocate memory for originalDN\n");
ret = ENOMEM;
goto done;
}
@@ -717,18 +740,18 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
state->opts->user_map[SDAP_OC_USER].name,
state->access_ctx->filter);
if (state->filter == NULL) {
- DEBUG(0, "Could not construct access filter\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not construct access filter\n");
ret = ENOMEM;
goto done;
}
talloc_zfree(clean_username);
- DEBUG(6, "Checking filter against LDAP\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Checking filter against LDAP\n");
state->sdap_op = sdap_id_op_create(state,
state->conn->conn_cache);
if (!state->sdap_op) {
- DEBUG(2, "sdap_id_op_create failed\n");
+ DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n");
ret = ENOMEM;
goto done;
}
@@ -756,10 +779,10 @@ static errno_t sdap_access_filter_decide_offline(struct tevent_req *req)
tevent_req_data(req, struct sdap_access_filter_req_ctx);
if (state->cached_access) {
- DEBUG(6, "Access granted by cached credentials\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Access granted by cached credentials\n");
return EOK;
} else {
- DEBUG(6, "Access denied by cached credentials\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Access denied by cached credentials\n");
return ERR_ACCESS_DENIED;
}
}
@@ -773,7 +796,8 @@ static int sdap_access_filter_retry(struct tevent_req *req)
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (!subreq) {
- DEBUG(2, "sdap_id_op_connect_send failed: %d (%s)\n", ret, strerror(ret));
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sdap_id_op_connect_send failed: %d (%s)\n", ret, strerror(ret));
return ret;
}
@@ -820,7 +844,7 @@ static void sdap_access_filter_connect_done(struct tevent_req *subreq)
SDAP_SEARCH_TIMEOUT),
false);
if (subreq == NULL) {
- DEBUG(1, "Could not start LDAP communication\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not start LDAP communication\n");
tevent_req_error(req, EIO);
return;
}
@@ -861,7 +885,8 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
"Malformed access control filter [%s]\n", state->filter);
ret = ERR_ACCESS_DENIED;
} else {
- DEBUG(1, "sdap_get_generic_send() returned error [%d][%s]\n",
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "sdap_get_generic_send() returned error [%d][%s]\n",
ret, sss_strerror(ret));
}
@@ -874,12 +899,13 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
* Anything else is an error
*/
if (num_results < 1) {
- DEBUG(4, "User [%s] was not found with the specified filter. "
+ DEBUG(SSSDBG_CONF_SETTINGS,
+ "User [%s] was not found with the specified filter. "
"Denying access.\n", state->username);
found = false;
}
else if (results == NULL) {
- DEBUG(1, "num_results > 0, but results is NULL\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "num_results > 0, but results is NULL\n");
ret = ERR_INTERNAL;
goto done;
}
@@ -887,7 +913,7 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
/* It should not be possible to get more than one reply
* here, since we're doing a base-scoped search
*/
- DEBUG(1, "Received multiple replies\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Received multiple replies\n");
ret = ERR_INTERNAL;
goto done;
}
@@ -899,21 +925,21 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
/* Save "allow" to the cache for future offline
:q* access checks.
*/
- DEBUG(6, "Access granted by online lookup\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Access granted by online lookup\n");
ret = EOK;
}
else {
/* Save "disallow" to the cache for future offline
* access checks.
*/
- DEBUG(6, "Access denied by online lookup\n");
+ DEBUG(SSSDBG_TRACE_FUNC, "Access denied by online lookup\n");
ret = ERR_ACCESS_DENIED;
}
attrs = sysdb_new_attrs(state);
if (attrs == NULL) {
ret = ENOMEM;
- DEBUG(1, "Could not set up attrs\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
goto done;
}
@@ -923,7 +949,7 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
/* Failing to save to the cache is non-fatal.
* Just return the result.
*/
- DEBUG(1, "Could not set up attrs\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n");
goto done;
}
@@ -933,7 +959,7 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
/* Failing to save to the cache is non-fatal.
* Just return the result.
*/
- DEBUG(1, "Failed to set user access attribute\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set user access attribute\n");
goto done;
}
@@ -970,13 +996,14 @@ static errno_t sdap_access_service(struct pam_data *pd,
el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_SERVICE);
if (!el || el->num_values == 0) {
- DEBUG(1, "Missing authorized services. Access denied\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Missing authorized services. Access denied\n");
tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
sizeof(AUTHR_SRV_MISSING_MSG),
(const uint8_t *) AUTHR_SRV_MISSING_MSG);
if (tret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
return ERR_ACCESS_DENIED;
@@ -989,13 +1016,13 @@ static errno_t sdap_access_service(struct pam_data *pd,
if (service[0] == '!' &&
strcasecmp(pd->service, service+1) == 0) {
/* This service is explicitly denied */
- DEBUG(4, "Access denied by [%s]\n", service);
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access denied by [%s]\n", service);
tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
sizeof(AUTHR_SRV_DENY_MSG),
(const uint8_t *) AUTHR_SRV_DENY_MSG);
if (tret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
/* A denial trumps all. Break here */
@@ -1003,14 +1030,14 @@ static errno_t sdap_access_service(struct pam_data *pd,
} else if (strcasecmp(pd->service, service) == 0) {
/* This service is explicitly allowed */
- DEBUG(4, "Access granted for [%s]\n", service);
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s]\n", service);
/* We still need to loop through to make sure
* that it's not also explicitly denied
*/
ret = EOK;
} else if (strcmp("*", service) == 0) {
/* This user has access to all services */
- DEBUG(4, "Access granted to all services\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access granted to all services\n");
/* We still need to loop through to make sure
* that it's not also explicitly denied
*/
@@ -1019,13 +1046,13 @@ static errno_t sdap_access_service(struct pam_data *pd,
}
if (ret == ENOENT) {
- DEBUG(4, "No matching service rule found\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "No matching service rule found\n");
tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO,
sizeof(AUTHR_SRV_NO_MATCH_MSG),
(const uint8_t *) AUTHR_SRV_NO_MATCH_MSG);
if (tret != EOK) {
- DEBUG(1, "pam_add_response failed.\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
}
ret = ERR_ACCESS_DENIED;
@@ -1044,12 +1071,13 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_HOST);
if (!el || el->num_values == 0) {
- DEBUG(1, "Missing hosts. Access denied\n");
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing hosts. Access denied\n");
return ERR_ACCESS_DENIED;
}
if (gethostname(hostname, sizeof(hostname)) == -1) {
- DEBUG(1, "Unable to get system hostname. Access denied\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unable to get system hostname. Access denied\n");
return ERR_ACCESS_DENIED;
}
@@ -1066,20 +1094,20 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
if (host[0] == '!' &&
strcasecmp(hostname, host+1) == 0) {
/* This host is explicitly denied */
- DEBUG(4, "Access denied by [%s]\n", host);
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access denied by [%s]\n", host);
/* A denial trumps all. Break here */
return ERR_ACCESS_DENIED;
} else if (strcasecmp(hostname, host) == 0) {
/* This host is explicitly allowed */
- DEBUG(4, "Access granted for [%s]\n", host);
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s]\n", host);
/* We still need to loop through to make sure
* that it's not also explicitly denied
*/
ret = EOK;
} else if (strcmp("*", host) == 0) {
/* This user has access to all hosts */
- DEBUG(4, "Access granted to all hosts\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "Access granted to all hosts\n");
/* We still need to loop through to make sure
* that it's not also explicitly denied
*/
@@ -1088,7 +1116,7 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
}
if (ret == ENOENT) {
- DEBUG(4, "No matching host rule found\n");
+ DEBUG(SSSDBG_CONF_SETTINGS, "No matching host rule found\n");
ret = ERR_ACCESS_DENIED;
}
generated by cgit (git 2.34.1) at 2024-05-26 11:47:39 +0000