diff options
author | Sumit Bose <sbose@redhat.com> | 2013-06-24 12:51:53 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-24 15:17:20 +0200 |
commit | 0535ad2bee920be5c07ee207903c2196eb19c02f (patch) | |
tree | 151849e2c692867ecc01f7a5727a9659ba79e1c1 /src/responder/pac | |
parent | 3438815242464a963c0d3a70f16579723a20b52d (diff) | |
download | sssd-0535ad2bee920be5c07ee207903c2196eb19c02f.tar.gz sssd-0535ad2bee920be5c07ee207903c2196eb19c02f.tar.xz sssd-0535ad2bee920be5c07ee207903c2196eb19c02f.zip |
PAC: do not delete originalDN or cached password if present
If the PAC responder recognizes some attribute changes between the
cached user entry and the PAC data it quite crudely just removes the
cached entry and recreates it. While in most cases all needed data can
be recovered from the PAC data there is a case where it is not possible.
E.g the IPA HBAC code use the OriginalDN attribute to improve
performance when evaluating access rules. This patch makes sure this
attribute is not lost when the PAC responder updates the object.
Diffstat (limited to 'src/responder/pac')
-rw-r--r-- | src/responder/pac/pacsrv_cmd.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c index 479a09419..2b11acad4 100644 --- a/src/responder/pac/pacsrv_cmd.c +++ b/src/responder/pac/pacsrv_cmd.c @@ -544,11 +544,12 @@ static errno_t save_pac_user(struct pac_req_ctx *pr_ctx) int ret; const char *attrs[] = {SYSDB_NAME, SYSDB_NAME_ALIAS, SYSDB_UIDNUM, SYSDB_GIDNUM, SYSDB_GECOS, SYSDB_HOMEDIR, - SYSDB_SHELL, NULL}; + SYSDB_SHELL, SYSDB_ORIG_DN, SYSDB_CACHEDPWD, NULL}; struct ldb_message *msg; struct passwd *pwd = NULL; TALLOC_CTX *tmp_ctx = NULL; struct sysdb_attrs *user_attrs = NULL; + const char *tmp_str; sysdb = pr_ctx->dom->sysdb; if (sysdb == NULL) { @@ -581,6 +582,30 @@ static errno_t save_pac_user(struct pac_req_ctx *pr_ctx) DEBUG(SSSDBG_OP_FAILURE, ("sysdb_delete_user failed.\n")); goto done; } + + /* If the entry is delete we might loose the information about the + * original DN of e.g. an IPA user or a chache password. */ + tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_ORIG_DN, NULL); + if (tmp_str != NULL) { + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, + tmp_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("sysdb_attrs_add_string failed.\n")); + goto done; + } + } + + tmp_str = ldb_msg_find_attr_as_string(msg, SYSDB_CACHEDPWD, NULL); + if (tmp_str != NULL) { + ret = sysdb_attrs_add_string(user_attrs, SYSDB_CACHEDPWD, + tmp_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + ("sysdb_attrs_add_string failed.\n")); + goto done; + } + } } else { goto done; } |