diff options
author | Yassir Elley <yelley@redhat.com> | 2014-05-30 08:36:25 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-07-01 11:29:12 +0200 |
commit | 588f8fbe74e66cc015f185a5b798173d320a65b5 (patch) | |
tree | ac31fcff9b2ec89d7c2755633903bae9fc3ad1ae /src/providers | |
parent | d3ca320a1ddea52fe86c052dd5521b8f98bb4f9f (diff) | |
download | sssd-588f8fbe74e66cc015f185a5b798173d320a65b5.tar.gz sssd-588f8fbe74e66cc015f185a5b798173d320a65b5.tar.xz sssd-588f8fbe74e66cc015f185a5b798173d320a65b5.zip |
AD-GPO: Add support for gpo permissive mode
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ad/ad_gpo.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 02387f48f..32ef852f3 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -32,6 +32,7 @@ */ #include <security/pam_modules.h> +#include <syslog.h> #include "util/util.h" #include "util/strtonum.h" #include "util/child_common.h" @@ -724,6 +725,7 @@ check_rights(char **privilege_sids, */ static errno_t ad_gpo_access_check(TALLOC_CTX *mem_ctx, + enum gpo_access_control_mode gpo_mode, const char *user, struct sss_domain_info *domain, char **allowed_sids, @@ -786,7 +788,19 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, if (access_granted && !access_denied) { return EOK; } else { - return EACCES; + switch (gpo_mode) { + case GPO_ACCESS_CONTROL_ENFORCING: + return EACCES; + case GPO_ACCESS_CONTROL_PERMISSIVE: + DEBUG(SSSDBG_TRACE_FUNC, "access denied: permissive mode\n"); + sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " \ + "have been denied GPO-based logon access if the " \ + "ad_gpo_access_control option were set to enforcing " \ + "mode."); + return EOK; + default: + return EINVAL; + } } done: @@ -836,6 +850,7 @@ struct ad_gpo_access_state { int timeout; struct sss_domain_info *domain; const char *user; + enum gpo_access_control_mode gpo_mode; const char *ad_hostname; const char *target_dn; struct gp_gpo **dacl_filtered_gpos; @@ -885,6 +900,7 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->user = user; state->ldb_ctx = sysdb_ctx_get_ldb(domain->sysdb); + state->gpo_mode = ctx->gpo_access_control_mode; state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME); state->opts = ctx->sdap_access_ctx->id_ctx->opts; state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); @@ -1340,7 +1356,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) /* TBD: allowed/denied_sids/size, should be retrieved from cache */ ret = ad_gpo_access_check - (state, state->user, state->domain, + (state, state->gpo_mode, state->user, state->domain, allowed_sids, allowed_size, denied_sids, denied_size); if (ret != EOK) { |