diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-04-11 09:18:56 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-04-15 15:16:10 +0200 |
commit | f66b1e7157f606cccad909f67daec29d7c87a41d (patch) | |
tree | 69394d3203b176e82a56af2ac117242c5980b0c4 /src/providers | |
parent | 2d654a45796b1c50a3c2368ba2aa78412073171d (diff) | |
download | sssd-f66b1e7157f606cccad909f67daec29d7c87a41d.tar.gz sssd-f66b1e7157f606cccad909f67daec29d7c87a41d.tar.xz sssd-f66b1e7157f606cccad909f67daec29d7c87a41d.zip |
Fix simple access group control in case-insensitive domains1.9.2-88
https://fedorahosted.org/sssd/ticket/1880
In the simple access provider, we need to only canonicalize user names when
comparing with values in the ACL, not when searching the cache. The sysdb
searches might do a base search with a DN constructed with the username
which fails if the username is lower case.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/simple/simple_access_check.c | 25 |
1 files changed, 9 insertions, 16 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index a9e8f632e..d490328b0 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -90,8 +90,8 @@ simple_check_users(struct simple_ctx *ctx, const char *username, } static errno_t -simple_check_groups(struct simple_ctx *ctx, const char *username, - const char **group_names, bool *access_granted) +simple_check_groups(struct simple_ctx *ctx, const char **group_names, + bool *access_granted) { bool matched; int i, j; @@ -356,7 +356,6 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, struct ldb_message **groups; int i; gid_t gid; - char *cname; req = tevent_req_create(mem_ctx, &state, struct simple_check_groups_state); @@ -365,18 +364,12 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->ctx = ctx; - cname = sss_get_cased_name(state, username, ctx->domain->case_sensitive); - if (!cname) { - ret = ENOMEM; - goto done; - } - - DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", cname)); + DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", username)); ret = sysdb_search_user_by_name(state, ctx->domain->sysdb, - cname, attrs, &user); + username, attrs, &user); if (ret == ENOENT) { - DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", cname)); + DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", username)); goto done; } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, @@ -394,7 +387,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_TRACE_FUNC, ("User %s is a member of %d supplemental groups\n", - cname, group_count)); + username, group_count)); /* One extra space for terminator, one extra space for private group */ state->group_names = talloc_zero_array(state, const char *, group_count + 2); @@ -420,7 +413,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0); if (!gid) { - DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", cname)); + DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", username)); ret = EINVAL; goto done; } @@ -694,8 +687,8 @@ static void simple_access_check_done(struct tevent_req *subreq) return; } - ret = simple_check_groups(state->ctx, state->username, - state->group_names, &state->access_granted); + ret = simple_check_groups(state->ctx, state->group_names, + &state->access_granted); if (ret != EOK) { tevent_req_error(req, ret); return; |