summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2012-11-16 20:25:43 +0000
committerJakub Hrozek <jhrozek@redhat.com>2012-11-19 15:31:00 +0100
commit6ee65c5580ef25c72b29fb73ea4d9ace6b7e85c5 (patch)
tree5e91e9559bf46b0fac346b9156149f8fb0092aee /src
parent9342c9bfb794bde7c54928d73cb41d33e3b4917f (diff)
downloadsssd-6ee65c5580ef25c72b29fb73ea4d9ace6b7e85c5.tar.gz
sssd-6ee65c5580ef25c72b29fb73ea4d9ace6b7e85c5.tar.xz
sssd-6ee65c5580ef25c72b29fb73ea4d9ace6b7e85c5.zip
Do not save HBAC rules in subdomain subtree
Currently the sysdb context is pointed to the subdomain subtree containing user the user to be checked at the beginning of a HBAC request. As a result all HBAC rules and related data is save in the subdomain tree as well. But since the HBAC rules of the configured domain apply to all users it is sufficient to save them once in the subtree of the configured domain. Since most of the sysdb operations during a HBAC request are related to the HBAC rules and related data this patch does not change the default sysdb context but only create a special context to look up subdomain users.
Diffstat (limited to 'src')
-rw-r--r--src/providers/ipa/ipa_access.c10
-rw-r--r--src/providers/ipa/ipa_hbac_common.c19
-rw-r--r--src/providers/ldap/sdap_access.c19
3 files changed, 32 insertions, 16 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 5c97575fc..3a34864c4 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -85,16 +85,6 @@ void ipa_access_handler(struct be_req *be_req)
be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
struct ipa_access_ctx);
- if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) {
- be_req->domain = new_subdomain(be_req, be_req->be_ctx->domain, pd->domain, NULL, NULL);
- if (be_req->domain == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
- be_req->fn(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL);
- return;
- }
- be_req->sysdb = be_req->domain->sysdb;
- }
-
/* First, verify that this account isn't locked.
* We need to do this in case the auth phase was
* skipped (such as during GSSAPI single-sign-on
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index 54628d80b..33d1944ee 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -440,6 +440,7 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain = hbac_ctx_be(hbac_ctx)->domain;
const char *rhost;
const char *thost;
+ struct sss_domain_info *user_dom;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) return ENOMEM;
@@ -452,9 +453,21 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
eval_req->request_time = time(NULL);
- /* Get user the user name and groups */
- ret = hbac_eval_user_element(eval_req, sysdb,
- pd->user, &eval_req->user);
+ /* Get user the user name and groups,
+ * take care of subdomain users as well */
+ if (strcasecmp(pd->domain, domain->name) != 0) {
+ user_dom = new_subdomain(tmp_ctx, domain, pd->domain, NULL, NULL);
+ if (user_dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = hbac_eval_user_element(eval_req, user_dom->sysdb,
+ pd->user, &eval_req->user);
+ } else {
+ ret = hbac_eval_user_element(eval_req, sysdb,
+ pd->user, &eval_req->user);
+ }
if (ret != EOK) goto done;
/* Get the PAM service and service groups */
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 88b52e26b..b198e0435 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -139,6 +139,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req;
struct ldb_result *res;
const char *attrs[] = { "*", NULL };
+ struct sss_domain_info *user_dom;
req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx);
if (req == NULL) {
@@ -162,9 +163,21 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Get original user DN */
- ret = sysdb_get_user_attr(state, be_req->sysdb,
- pd->user, attrs, &res);
+ /* Get original user DN, take care of subdomain users as well */
+ if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) {
+ user_dom = new_subdomain(state, be_req->be_ctx->domain, pd->domain,
+ NULL, NULL);
+ if (user_dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = sysdb_get_user_attr(state, user_dom->sysdb,
+ pd->user, attrs, &res);
+ } else {
+ ret = sysdb_get_user_attr(state, be_req->sysdb,
+ pd->user, attrs, &res);
+ }
if (ret != EOK) {
if (ret == ENOENT) {
/* If we can't find the user, return permission denied */