diff options
author | Sumit Bose <sbose@redhat.com> | 2015-04-22 16:57:37 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-29 11:33:22 +0200 |
commit | f70a1adbfc30b9acc302027439fb8157e0c6ea2a (patch) | |
tree | b65879cc54087e6e7fcc5aea4e2b86a4de3d1683 /src/providers/ldap | |
parent | 82a958e6592c4a4078e45b7197bbe4751b70f511 (diff) | |
download | sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.gz sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.tar.xz sssd-f70a1adbfc30b9acc302027439fb8157e0c6ea2a.zip |
IPA: allow initgroups by SID for AD users
If a user from a trusted AD domain is search with the help of an
override name the SID from the override anchor is used to search the
user in AD. Currently the initgroups request only allows searches by
name. With this patch a SID can be used as well.
Resolves https://fedorahosted.org/sssd/ticket/2632
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/ldap')
-rw-r--r-- | src/providers/ldap/ldap_id.c | 15 | ||||
-rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 2 |
2 files changed, 15 insertions, 2 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 642ae5c29..d65bd5f6a 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -1392,7 +1392,8 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, break; case BE_REQ_INITGROUPS: /* init groups for user */ - if (ar->filter_type != BE_FILTER_NAME) { + if (ar->filter_type != BE_FILTER_NAME + && ar->filter_type != BE_FILTER_SECID) { ret = EINVAL; state->err = "Invalid filter type"; goto done; @@ -1402,11 +1403,21 @@ sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, state->err = "Invalid attr type"; goto done; } + if (ar->filter_type == BE_FILTER_SECID && ar->extra_value != NULL + && strcmp(ar->extra_value, EXTRA_NAME_IS_SID) != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected extra value [%s] for BE_FILTER_SECID.\n", + ar->extra_value); + ret = EINVAL; + state->err = "Invalid extra value"; + goto done; + } subreq = groups_by_user_send(state, be_ctx->ev, id_ctx, sdom, conn, ar->filter_value, - ar->extra_value, + (ar->filter_type == BE_FILTER_SECID) + ? EXTRA_NAME_IS_SID : ar->extra_value, noexist_delete); break; diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index ae617b9c4..5c5be5eab 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2716,6 +2716,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { search_attr = state->opts->user_map[SDAP_AT_USER_PRINC].name; + } else if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_SID) == 0) { + search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; } else { search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; } |