summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-04-11 09:18:56 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-04-15 15:16:10 +0200
commitf66b1e7157f606cccad909f67daec29d7c87a41d (patch)
tree69394d3203b176e82a56af2ac117242c5980b0c4 /src/providers
parent2d654a45796b1c50a3c2368ba2aa78412073171d (diff)
downloadsssd-f66b1e7157f606cccad909f67daec29d7c87a41d.tar.gz
sssd-f66b1e7157f606cccad909f67daec29d7c87a41d.tar.xz
sssd-f66b1e7157f606cccad909f67daec29d7c87a41d.zip
Fix simple access group control in case-insensitive domains1.9.2-88
https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/simple/simple_access_check.c25
1 files changed, 9 insertions, 16 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index a9e8f632e..d490328b0 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -90,8 +90,8 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
}
static errno_t
-simple_check_groups(struct simple_ctx *ctx, const char *username,
- const char **group_names, bool *access_granted)
+simple_check_groups(struct simple_ctx *ctx, const char **group_names,
+ bool *access_granted)
{
bool matched;
int i, j;
@@ -356,7 +356,6 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
struct ldb_message **groups;
int i;
gid_t gid;
- char *cname;
req = tevent_req_create(mem_ctx, &state,
struct simple_check_groups_state);
@@ -365,18 +364,12 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->ctx = ctx;
- cname = sss_get_cased_name(state, username, ctx->domain->case_sensitive);
- if (!cname) {
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", cname));
+ DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", username));
ret = sysdb_search_user_by_name(state, ctx->domain->sysdb,
- cname, attrs, &user);
+ username, attrs, &user);
if (ret == ENOENT) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", cname));
+ DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", username));
goto done;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -394,7 +387,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC,
("User %s is a member of %d supplemental groups\n",
- cname, group_count));
+ username, group_count));
/* One extra space for terminator, one extra space for private group */
state->group_names = talloc_zero_array(state, const char *, group_count + 2);
@@ -420,7 +413,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);
if (!gid) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", cname));
+ DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", username));
ret = EINVAL;
goto done;
}
@@ -694,8 +687,8 @@ static void simple_access_check_done(struct tevent_req *subreq)
return;
}
- ret = simple_check_groups(state->ctx, state->username,
- state->group_names, &state->access_granted);
+ ret = simple_check_groups(state->ctx, state->group_names,
+ &state->access_granted);
if (ret != EOK) {
tevent_req_error(req, ret);
return;