diff options
| author | Simo Sorce <ssorce@redhat.com> | 2010-03-14 17:27:05 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-04-12 09:22:15 -0400 |
| commit | 7ffaa2afb9e03a6f0b9c602c0f03b2074ea33eac (patch) | |
| tree | abc9f4bfcc276834c922463120b35c66ee3bd033 /src/responder | |
| parent | 0a7a138cd47dcff3f4d53da2db4fa155708b8aeb (diff) | |
| download | sssd-7ffaa2afb9e03a6f0b9c602c0f03b2074ea33eac.tar.gz sssd-7ffaa2afb9e03a6f0b9c602c0f03b2074ea33eac.tar.xz sssd-7ffaa2afb9e03a6f0b9c602c0f03b2074ea33eac.zip | |
sysdb: convert sysdb_getpwnam
Diffstat (limited to 'src/responder')
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 419 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv.h | 1 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 337 |
3 files changed, 309 insertions, 448 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 042517ad8..d25c467ae 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -33,6 +33,7 @@ struct nss_cmd_ctx { bool immediate; bool check_next; bool enum_cached; + }; struct dom_ctx { @@ -115,6 +116,61 @@ static int fill_empty(struct sss_packet *packet) return EOK; } +static int nss_cmd_send_empty(struct nss_cmd_ctx *cmdctx) +{ + struct cli_ctx *cctx = cmdctx->cctx; + int ret; + + /* create response packet */ + ret = sss_packet_new(cctx->creq, 0, + sss_packet_get_cmd(cctx->creq->in), + &cctx->creq->out); + if (ret != EOK) { + return ret; + } + ret = fill_empty(cctx->creq->out); + if (ret != EOK) { + return ret; + } + sss_packet_set_error(cctx->creq->out, EOK); + sss_cmd_done(cctx, cmdctx); + return EOK; +} + +static int nss_cmd_done(struct nss_cmd_ctx *cmdctx, int ret) +{ + switch (ret) { + case EOK: + /* all fine, just return here */ + break; + + case ENOENT: + ret = nss_cmd_send_empty(cmdctx); + if (ret) { + return EFAULT; + } + break; + + case EAGAIN: + /* async processing, just return here */ + break; + + case EFAULT: + /* very bad error */ + return EFAULT; + + default: + ret = nss_cmd_send_error(cmdctx, ret); + if (ret) { + return EFAULT; + } + sss_cmd_done(cmdctx->cctx, cmdctx); + break; + } + + return EOK; +} + /**************************************************************************** * PASSWD db related functions ***************************************************************************/ @@ -260,6 +316,36 @@ done: return EOK; } +static int nss_cmd_getpw_send_reply(struct nss_dom_ctx *dctx, bool filter) +{ + struct nss_cmd_ctx *cmdctx = dctx->cmdctx; + struct cli_ctx *cctx = cmdctx->cctx; + struct nss_ctx *nctx; + int ret; + + nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); + + ret = sss_packet_new(cctx->creq, 0, + sss_packet_get_cmd(cctx->creq->in), + &cctx->creq->out); + if (ret != EOK) { + return EFAULT; + } + ret = fill_pwent(cctx->creq->out, + dctx->domain, + nctx, filter, + dctx->res->msgs, dctx->res->count); + if (ret) { + return ret; + } + sss_packet_set_error(cctx->creq->out, EOK); + sss_cmd_done(cctx, cmdctx); + return EOK; +} + + +/* FIXME: do not check res->count, but get in a msgs and check in parent */ +/* FIXME: do not sss_cmd_done, but return error and let parent do it */ static errno_t check_cache(struct nss_dom_ctx *dctx, struct nss_ctx *nctx, struct ldb_result *res, @@ -387,7 +473,6 @@ static errno_t check_cache(struct nss_dom_ctx *dctx, NSS_CMD_FATAL_ERROR_CODE(cctx, EIO); } sss_cmd_done(cctx, cmdctx); - return EIO; } return EAGAIN; @@ -399,155 +484,114 @@ static errno_t check_cache(struct nss_dom_ctx *dctx, static void nss_cmd_getpwnam_dp_callback(uint16_t err_maj, uint32_t err_min, const char *err_msg, void *ptr); -static void nss_cmd_getpwnam_callback(void *ptr, int status, - struct ldb_result *res) +/* search for a user. + * Returns: + * ENOENT, if user is definitely not found + * EAGAIN, if user is beeing fetched from backend via async operations + * EOK, if found + * anything else on a fatal error + */ + +static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) { - struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx); struct nss_cmd_ctx *cmdctx = dctx->cmdctx; + struct sss_domain_info *dom = dctx->domain; struct cli_ctx *cctx = cmdctx->cctx; + const char *name = cmdctx->name; struct sysdb_ctx *sysdb; - struct sss_domain_info *dom; struct nss_ctx *nctx; - uint8_t *body; - size_t blen; - bool neghit = false; - int ncret; int ret; nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); - if (status != LDB_SUCCESS) { - ret = nss_cmd_send_error(cmdctx, status); - if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cctx); - } - sss_cmd_done(cctx, cmdctx); - return; - } - - if (dctx->check_provider) { - ret = check_cache(dctx, nctx, res, - SSS_DP_USER, cmdctx->name, 0, - nss_cmd_getpwnam_dp_callback); - if (ret != EOK) { - /* Anything but EOK means we should reenter the mainloop - * because we may be refreshing the cache - */ - return; + while (dom) { + /* if it is a domainless search, skip domains that require fully + * qualified names instead */ + while (dom && cmdctx->check_next && dom->fqnames) { + dom = dom->next; } - } - switch (res->count) { - case 0: - if (cmdctx->check_next) { + if (!dom) break; - ret = EOK; + if (dom != dctx->domain) { + /* make sure we reset the check_provider flag when we check + * a new domain */ + dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider); + } - /* skip domains that require FQnames or have negative caches */ - for (dom = dctx->domain->next; dom; dom = dom->next) { + /* make sure to update the dctx if we changed domain */ + dctx->domain = dom; - if (dom->fqnames) continue; + /* verify this user has not yet been negatively cached, + * or has been permanently filtered */ + ret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout, + dom->name, name); - ncret = nss_ncache_check_user(nctx->ncache, - nctx->neg_timeout, - dom->name, cmdctx->name); - if (ncret == ENOENT) break; + /* if neg cached, return we didn't find it */ + if (ret == EEXIST) { + DEBUG(2, ("User [%s] does not exist! (negative cache)\n", name)); + return ENOENT; + } - neghit = true; - } - /* reset neghit if we still have a domain to check */ - if (dom) neghit = false; + DEBUG(4, ("Requesting info for [%s@%s]\n", name, dom->name)); - if (neghit) { - DEBUG(2, ("User [%s] does not exist! (negative cache)\n", - cmdctx->name)); - ret = ENOENT; - } - if (dom == NULL) { - DEBUG(2, ("No matching domain found for [%s], fail!\n", - cmdctx->name)); - ret = ENOENT; - } + ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, dom, &sysdb); + if (ret != EOK) { + DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); + return EIO; + } - if (ret == EOK) { - dctx->domain = dom; - dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); - if (dctx->res) talloc_free(res); - dctx->res = NULL; + ret = sysdb_getpwnam(cmdctx, sysdb, dom, name, &dctx->res); + if (ret != EOK) { + DEBUG(1, ("Failed to make request to our cache!\n")); + return EIO; + } - DEBUG(4, ("Requesting info for [%s@%s]\n", - cmdctx->name, dctx->domain->name)); + if (dctx->res->count > 1) { + DEBUG(0, ("getpwnam call returned more than one result !?!\n")); + return ENOENT; + } - ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, - dctx->domain, &sysdb); - if (ret != EOK) { - DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); - NSS_CMD_FATAL_ERROR(cctx); - } - ret = sysdb_getpwnam(cmdctx, sysdb, - dctx->domain, cmdctx->name, - nss_cmd_getpwnam_callback, dctx); - if (ret != EOK) { - DEBUG(1, ("Failed to make request to our cache!\n")); - } + if (dctx->res->count == 0 && !dctx->check_provider) { + /* if a multidomain search, try with next */ + if (cmdctx->check_next) { + dom = dom->next; + continue; } - /* we made another call, end here */ - if (ret == EOK) return; - } + DEBUG(2, ("No results for getpwnam call\n")); - DEBUG(2, ("No results for getpwnam call\n")); - - /* set negative cache only if not result of cache check */ - if (!neghit) { - ret = nss_ncache_set_user(nctx->ncache, false, - dctx->domain->name, cmdctx->name); + /* set negative cache only if not result of cache check */ + ret = nss_ncache_set_user(nctx->ncache, false, dom->name, name); if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cctx); + return ret; } - } - ret = sss_packet_new(cctx->creq, 2*sizeof(uint32_t), - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cctx); + return ENOENT; } - sss_packet_get_body(cctx->creq->out, &body, &blen); - ((uint32_t *)body)[0] = 0; /* 0 results */ - ((uint32_t *)body)[1] = 0; /* reserved */ - break; - case 1: - DEBUG(6, ("Returning info for user [%s]\n", cmdctx->name)); - - /* create response packet */ - ret = sss_packet_new(cctx->creq, 0, - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cctx); - } - ret = fill_pwent(cctx->creq->out, - dctx->domain, - nctx, false, - res->msgs, res->count); - if (ret == ENOENT) { - ret = fill_empty(cctx->creq->out); + /* if this is a caching provider (or if we haven't checked the cache + * yet) then verify that the cache is uptodate */ + if (dctx->check_provider) { + ret = check_cache(dctx, nctx, dctx->res, + SSS_DP_USER, name, 0, + nss_cmd_getpwnam_dp_callback); + if (ret != EOK) { + /* Anything but EOK means we should reenter the mainloop + * because we may be refreshing the cache + */ + return ret; + } } - sss_packet_set_error(cctx->creq->out, ret); - break; + /* One result found */ + DEBUG(6, ("Returning info for user [%s@%s]\n", name, dom->name)); - default: - DEBUG(1, ("getpwnam call returned more than one result !?!\n")); - ret = nss_cmd_send_error(cmdctx, ENOENT); - if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cctx); - } + return EOK; } - sss_cmd_done(cctx, cmdctx); + DEBUG(2, ("No matching domain found for [%s], fail!\n", name)); + return ENOENT; } static void nss_cmd_getpwnam_dp_callback(uint16_t err_maj, uint32_t err_min, @@ -556,7 +600,6 @@ static void nss_cmd_getpwnam_dp_callback(uint16_t err_maj, uint32_t err_min, struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx); struct nss_cmd_ctx *cmdctx = dctx->cmdctx; struct cli_ctx *cctx = cmdctx->cctx; - struct sysdb_ctx *sysdb; int ret; if (err_maj) { @@ -565,39 +608,33 @@ static void nss_cmd_getpwnam_dp_callback(uint16_t err_maj, uint32_t err_min, "Will try to return what we have in cache\n", (unsigned int)err_maj, (unsigned int)err_min, err_msg)); - if (!dctx->res) { - /* return 0 results */ - dctx->res = talloc_zero(dctx, struct ldb_result); - if (!dctx->res) { - ret = ENOMEM; - goto done; - } + if (dctx->res && dctx->res->count == 1) { + ret = nss_cmd_getpw_send_reply(dctx, false); + goto done; } - nss_cmd_getpwnam_callback(dctx, LDB_SUCCESS, dctx->res); - return; + /* no previous results, just loop to next domain if possible */ + if (dctx->domain->next && cmdctx->check_next) { + dctx->domain = dctx->domain->next; + dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); + } else { + /* nothing vailable */ + ret = ENOENT; + goto done; + } } - ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, - dctx->domain, &sysdb); - if (ret != EOK) { - DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); - NSS_CMD_FATAL_ERROR(cctx); + /* ok the backend returned, search to see if we have updated results */ + ret = nss_cmd_getpwnam_search(dctx); + if (ret == EOK) { + /* we have results to return */ + ret = nss_cmd_getpw_send_reply(dctx, false); } - ret = sysdb_getpwnam(cmdctx, sysdb, - dctx->domain, cmdctx->name, - nss_cmd_getpwnam_callback, dctx); done: - if (ret != EOK) { - DEBUG(1, ("Failed to make request to our cache! (%d [%s])\n", - ret, strerror(ret))); - - ret = nss_cmd_send_error(cmdctx, ret); - if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cctx); - } - sss_cmd_done(cctx, cmdctx); + ret = nss_cmd_done(cmdctx, ret); + if (ret) { + NSS_CMD_FATAL_ERROR(cctx); } } @@ -605,18 +642,11 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx) { struct nss_cmd_ctx *cmdctx; struct nss_dom_ctx *dctx; - struct sss_domain_info *dom; - struct sysdb_ctx *sysdb; - struct nss_ctx *nctx; const char *rawname; char *domname; uint8_t *body; size_t blen; int ret; - int ncret; - bool neghit = false; - - nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); cmdctx = talloc_zero(cctx, struct nss_cmd_ctx); if (!cmdctx) { @@ -659,92 +689,23 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx) ret = ENOENT; goto done; } - - /* verify this user has not yet been negatively cached, - * or has been permanently filtered */ - ncret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout, - dctx->domain->name, cmdctx->name); - if (ncret == EEXIST) { - neghit = true; - } - } - else { - /* skip domains that require FQnames or have negative caches */ - for (dom = cctx->rctx->domains; dom; dom = dom->next) { - - if (dom->fqnames) continue; - - /* verify this user has not yet been negatively cached, - * or has been permanently filtered */ - ncret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout, - dom->name, cmdctx->name); - if (ncret == ENOENT) break; - - neghit = true; - } - /* reset neghit if we still have a domain to check */ - if (dom) neghit = false; - - dctx->domain = dom; - } - if (neghit) { - DEBUG(2, ("User [%s] does not exist! (negative cache)\n", rawname)); - ret = ENOENT; - goto done; - } - if (dctx->domain == NULL) { - DEBUG(2, ("No matching domain found for [%s], fail!\n", rawname)); - ret = ENOENT; - goto done; - } - - dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); - - if (!domname) { + } else { /* this is a multidomain search */ + dctx->domain = cctx->rctx->domains; cmdctx->check_next = true; } - DEBUG(4, ("Requesting info for [%s@%s]\n", - cmdctx->name, dctx->domain->name)); + dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); - ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, - dctx->domain, &sysdb); - if (ret != EOK) { - DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); - ret = EFAULT; - goto done; - } - ret = sysdb_getpwnam(cmdctx, sysdb, - dctx->domain, cmdctx->name, - nss_cmd_getpwnam_callback, dctx); - if (ret != EOK) { - DEBUG(1, ("Failed to make request to our cache!\n")); + /* ok, find it ! */ + ret = nss_cmd_getpwnam_search(dctx); + if (ret == EOK) { + /* we have results to return */ + ret = nss_cmd_getpw_send_reply(dctx, false); } done: - if (ret != EOK) { - if (ret == ENOENT) { - /* we do not have any entry to return */ - ret = sss_packet_new(cctx->creq, 2*sizeof(uint32_t), - sss_packet_get_cmd(cctx->creq->in), - &cctx->creq->out); - if (ret == EOK) { - sss_packet_get_body(cctx->creq->out, &body, &blen); - ((uint32_t *)body)[0] = 0; /* 0 results */ - ((uint32_t *)body)[1] = 0; /* reserved */ - } - } - if (ret != EOK) { - ret = nss_cmd_send_error(cmdctx, ret); - } - if (ret == EOK) { - sss_cmd_done(cctx, cmdctx); - } - return ret; - } - - return EOK; + return nss_cmd_done(cmdctx, ret); } static void nss_cmd_getpwuid_dp_callback(uint16_t err_maj, uint32_t err_min, diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 60f9c66ae..1a81fb70f 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -44,6 +44,7 @@ struct pam_auth_req { pam_dp_callback_t *callback; + struct ldb_result *res; bool check_provider; void *data; }; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index eba78cceb..d5b4eff69 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -564,8 +564,8 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, const char *err_msg, void *ptr); -static void pam_check_user_callback(void *ptr, int status, - struct ldb_result *res); +static int pam_check_user_search(struct pam_auth_req *preq); +static int pam_check_user_done(struct pam_auth_req *preq, int ret); static void pam_dom_forwarder(struct pam_auth_req *preq); /* TODO: we should probably return some sort of cookie that is set in the @@ -575,12 +575,10 @@ static void pam_dom_forwarder(struct pam_auth_req *preq); static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) { struct sss_domain_info *dom; - struct sysdb_ctx *sysdb; struct pam_auth_req *preq; struct pam_data *pd; uint8_t *body; size_t blen; - int timeout; int ret; uint32_t terminator = SSS_END_OF_PAM_REQUEST; preq = talloc_zero(cctx, struct pam_auth_req); @@ -663,267 +661,168 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) goto done; } - /* When auth is requested always search the provider first, - * do not rely on cached data unless the provider is completely - * offline */ - if (NEED_CHECK_PROVIDER(preq->domain->provider) && - (pam_cmd == SSS_PAM_AUTHENTICATE || pam_cmd == SSS_PAM_SETCRED)) { - - /* no need to re-check later on */ - preq->check_provider = false; - timeout = SSS_CLI_SOCKET_TIMEOUT/2; - - ret = sss_dp_send_acct_req(preq->cctx->rctx, preq, - pam_check_user_dp_callback, preq, - timeout, preq->domain->name, - false, SSS_DP_INITGROUPS, - preq->pd->user, 0); - } - else { - preq->check_provider = NEED_CHECK_PROVIDER(preq->domain->provider); - - ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, - preq->domain, &sysdb); - if (ret != EOK) { - DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); - goto done; - } - ret = sysdb_getpwnam(preq, sysdb, - preq->domain, preq->pd->user, - pam_check_user_callback, preq); + ret = pam_check_user_search(preq); + if (ret == EOK) { + pam_dom_forwarder(preq); } done: - if (ret != EOK) { - switch (ret) { - case ENOENT: - pd->pam_status = PAM_USER_UNKNOWN; - default: - pd->pam_status = PAM_SYSTEM_ERR; - } - pam_reply(preq); - } - return EOK; + return pam_check_user_done(preq, ret); } -static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, - const char *err_msg, void *ptr) +static int pam_check_user_search(struct pam_auth_req *preq) { - struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req); + struct sss_domain_info *dom = preq->domain; + struct cli_ctx *cctx = preq->cctx; + const char *name = preq->pd->user; struct sysdb_ctx *sysdb; + time_t cacheExpire; int ret; - if (err_maj) { - DEBUG(2, ("Unable to get information from Data Provider\n" - "Error: %u, %u, %s\n", - (unsigned int)err_maj, (unsigned int)err_min, err_msg)); - } + while (dom) { + /* if it is a domainless search, skip domains that require fully + * qualified names instead */ + while (dom && !preq->pd->domain && dom->fqnames) { + dom = dom->next; + } - /* always try to see if we have the user in cache even if the provider - * returned an error */ - ret = sysdb_get_ctx_from_list(preq->cctx->rctx->db_list, - preq->domain, &sysdb); - if (ret != EOK) { - DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); - goto done; - } - ret = sysdb_getpwnam(preq, sysdb, - preq->domain, preq->pd->user, - pam_check_user_callback, preq); + if (!dom) break; -done: - if (ret != EOK) { - preq->pd->pam_status = PAM_SYSTEM_ERR; - pam_reply(preq); - } -} + if (dom != preq->domain) { + /* make sure we reset the check_provider flag when we check + * a new domain */ + preq->check_provider = NEED_CHECK_PROVIDER(dom->provider); + } -static void pam_check_user_callback(void *ptr, int status, - struct ldb_result *res) -{ - struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req); - struct sss_domain_info *dom; - struct sysdb_ctx *sysdb; - uint64_t cacheExpire; - bool call_provider = false; - time_t timeout; - int ret; + /* make sure to update the preq if we changed domain */ + preq->domain = dom; - if (status != LDB_SUCCESS) { - preq->pd->pam_status = PAM_SYSTEM_ERR; - pam_reply(preq); - return; - } + /* TODO: check negative cache ? */ - timeout = SSS_CLI_SOCKET_TIMEOUT/2; + /* Always try to refresh the cache first on authentication */ + if (preq->check_provider && + (preq->pd->cmd == SSS_PAM_AUTHENTICATE || + preq->pd->cmd == SSS_PAM_SETCRED)) { - if (preq->check_provider) { - switch (res->count) { - case 0: - call_provider = true; + /* call provider first */ break; + } - case 1: - cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0], + DEBUG(4, ("Requesting info for [%s@%s]\n", name, dom->name)); + + ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, dom, &sysdb); + if (ret != EOK) { + DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); + preq->pd->pam_status = PAM_SYSTEM_ERR; + return EFAULT; + } + ret = sysdb_getpwnam(preq, sysdb, dom, name, &preq->res); + if (ret != EOK) { + DEBUG(1, ("Failed to make request to our cache!\n")); + return EIO; + } + + if (preq->res->count > 1) { + DEBUG(0, ("getpwnam call returned more than one result !?!\n")); + return ENOENT; + } + + if (preq->res->count == 0) { + /* if a multidomain search, try with next */ + if (!preq->pd->domain) { + dom = dom->next; + continue; + } + + DEBUG(2, ("No results for getpwnam call\n")); + + /* TODO: store negative cache ? */ + + return ENOENT; + } + + /* One result found */ + + /* if we need to check the remote account go on */ + if (preq->check_provider) { + cacheExpire = ldb_msg_find_attr_as_uint64(preq->res->msgs[0], SYSDB_CACHE_EXPIRE, 0); if (cacheExpire < time(NULL)) { - call_provider = true; + break; } - break; - - default: - DEBUG(1, ("check user call returned more than one result !?!\n")); - preq->pd->pam_status = PAM_SYSTEM_ERR; - pam_reply(preq); - return; } + + DEBUG(6, ("Returning info for user [%s@%s]\n", name, dom->name)); + + return EOK; } - if (call_provider) { + if (preq->check_provider) { /* dont loop forever :-) */ preq->check_provider = false; - /* keep around current data in case backend is offline */ - if (res->count) { - preq->data = talloc_steal(preq, res); - } - ret = sss_dp_send_acct_req(preq->cctx->rctx, preq, pam_check_user_dp_callback, preq, - timeout, preq->domain->name, - false, SSS_DP_USER, - preq->pd->user, 0); + SSS_CLI_SOCKET_TIMEOUT/2, + dom->name, false, SSS_DP_USER, name, 0); if (ret != EOK) { DEBUG(3, ("Failed to dispatch request: %d(%s)\n", ret, strerror(ret))); preq->pd->pam_status = PAM_SYSTEM_ERR; - pam_reply(preq); + return EIO; } - return; + /* tell caller we are in an async call */ + return EAGAIN; } - switch (res->count) { - case 0: - if (!preq->pd->domain) { - /* search next as the domain was unknown */ - - ret = EOK; - - /* skip domains that require FQnames or have negative caches */ - for (dom = preq->domain->next; dom; dom = dom->next) { - - if (dom->fqnames) continue; - -#if HAVE_NEG_CACHE - ncret = nss_ncache_check_user(nctx->ncache, - nctx->neg_timeout, - dom->name, cmdctx->name); - if (ncret == ENOENT) break; - - neghit = true; -#endif - break; - } -#if HAVE_NEG_CACHE - /* reset neghit if we still have a domain to check */ - if (dom) neghit = false; - - if (neghit) { - DEBUG(2, ("User [%s] does not exist! (negative cache)\n", - cmdctx->name)); - ret = ENOENT; - } -#endif - if (dom == NULL) { - DEBUG(2, ("No matching domain found for [%s], fail!\n", - preq->pd->user)); - ret = ENOENT; - } + DEBUG(2, ("No matching domain found for [%s], fail!\n", name)); + return ENOENT; +} - if (ret == EOK) { - preq->domain = dom; - preq->data = NULL; - - DEBUG(4, ("Requesting info for [%s@%s]\n", - preq->pd->user, preq->domain->name)); - - /* When auth is requested always search the provider first, - * do not rely on cached data unless the provider is - * completely offline */ - if (NEED_CHECK_PROVIDER(preq->domain->provider) && - (preq->pd->cmd == SSS_PAM_AUTHENTICATE || - preq->pd->cmd == SSS_PAM_SETCRED)) { - - /* no need to re-check later on */ - preq->check_provider = false; - - ret = sss_dp_send_acct_req(preq->cctx->rctx, preq, - pam_check_user_dp_callback, - preq, timeout, - preq->domain->name, - false, SSS_DP_USER, - preq->pd->user, 0); - } - else { - preq->check_provider = NEED_CHECK_PROVIDER(preq->domain->provider); +static int pam_check_user_done(struct pam_auth_req *preq, int ret) +{ + switch (ret) { + case EOK: + break; - ret = sysdb_get_ctx_from_list(preq->cctx->rctx->db_list, - preq->domain, &sysdb); - if (ret != EOK) { - DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n")); - preq->pd->pam_status = PAM_SYSTEM_ERR; - pam_reply(preq); - return; - } - ret = sysdb_getpwnam(preq, sysdb, - preq->domain, preq->pd->user, - pam_check_user_callback, preq); - } - if (ret != EOK) { - DEBUG(1, ("Failed to make request to our cache!\n")); - } - } + case EAGAIN: + /* performing async request, just return */ + break; - /* we made another call, end here */ - if (ret == EOK) return; - } - else { - ret = ENOENT; - } + case ENOENT: + preq->pd->pam_status = PAM_USER_UNKNOWN; + pam_reply(preq); + break; - DEBUG(2, ("No results for check user call\n")); + default: + preq->pd->pam_status = PAM_SYSTEM_ERR; + pam_reply(preq); + break; + } -#if HAVE_NEG_CACHE - /* set negative cache only if not result of cache check */ - if (!neghit) { - ret = nss_ncache_set_user(nctx->ncache, false, - dctx->domain->name, cmdctx->name); - if (ret != EOK) { - NSS_CMD_FATAL_ERROR(cctx); - } - } -#endif + return EOK; +} - if (ret != EOK) { - if (ret == ENOENT) { - preq->pd->pam_status = PAM_USER_UNKNOWN; - } else { - preq->pd->pam_status = PAM_SYSTEM_ERR; - } - pam_reply(preq); - return; - } - break; +static void pam_check_user_dp_callback(uint16_t err_maj, uint32_t err_min, + const char *err_msg, void *ptr) +{ + struct pam_auth_req *preq = talloc_get_type(ptr, struct pam_auth_req); + int ret; - case 1: + if (err_maj) { + DEBUG(2, ("Unable to get information from Data Provider\n" + "Error: %u, %u, %s\n", + (unsigned int)err_maj, (unsigned int)err_min, err_msg)); + } - /* BINGO */ + ret = pam_check_user_search(preq); + if (ret == EOK) { pam_dom_forwarder(preq); - return; + } - default: - DEBUG(1, ("check user call returned more than one result !?!\n")); + ret = pam_check_user_done(preq, ret); + if (ret) { preq->pd->pam_status = PAM_SYSTEM_ERR; pam_reply(preq); } |