summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-04-11 09:18:56 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-04-15 15:03:45 +0200
commit4f57212955827a9062b150c768e8a0c2fb613193 (patch)
tree7a584c3f71b8b383013d8ed2020825626cd90f02 /src
parente495127f6abb40b74e23db9e37ff08247008a543 (diff)
downloadsssd-4f57212955827a9062b150c768e8a0c2fb613193.tar.gz
sssd-4f57212955827a9062b150c768e8a0c2fb613193.tar.xz
sssd-4f57212955827a9062b150c768e8a0c2fb613193.zip
Fix simple access group control in case-insensitive domains
https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
Diffstat (limited to 'src')
-rw-r--r--src/providers/simple/simple_access_check.c25
-rw-r--r--src/tests/simple_access-tests.c4
2 files changed, 11 insertions, 18 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index a9e8f632e..d490328b0 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -90,8 +90,8 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
}
static errno_t
-simple_check_groups(struct simple_ctx *ctx, const char *username,
- const char **group_names, bool *access_granted)
+simple_check_groups(struct simple_ctx *ctx, const char **group_names,
+ bool *access_granted)
{
bool matched;
int i, j;
@@ -356,7 +356,6 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
struct ldb_message **groups;
int i;
gid_t gid;
- char *cname;
req = tevent_req_create(mem_ctx, &state,
struct simple_check_groups_state);
@@ -365,18 +364,12 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->ctx = ctx;
- cname = sss_get_cased_name(state, username, ctx->domain->case_sensitive);
- if (!cname) {
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", cname));
+ DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", username));
ret = sysdb_search_user_by_name(state, ctx->domain->sysdb,
- cname, attrs, &user);
+ username, attrs, &user);
if (ret == ENOENT) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", cname));
+ DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", username));
goto done;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -394,7 +387,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC,
("User %s is a member of %d supplemental groups\n",
- cname, group_count));
+ username, group_count));
/* One extra space for terminator, one extra space for private group */
state->group_names = talloc_zero_array(state, const char *, group_count + 2);
@@ -420,7 +413,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);
if (!gid) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", cname));
+ DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", username));
ret = EINVAL;
goto done;
}
@@ -694,8 +687,8 @@ static void simple_access_check_done(struct tevent_req *subreq)
return;
}
- ret = simple_check_groups(state->ctx, state->username,
- state->group_names, &state->access_granted);
+ ret = simple_check_groups(state->ctx, state->group_names,
+ &state->access_granted);
if (ret != EOK) {
tevent_req_error(req, ret);
return;
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
index ab2612db8..3501553bd 100644
--- a/src/tests/simple_access-tests.c
+++ b/src/tests/simple_access-tests.c
@@ -481,7 +481,7 @@ START_TEST(test_group_case)
test_ctx->ctx->deny_groups = NULL;
req = simple_access_check_send(test_ctx, test_ctx->ev,
- test_ctx->ctx, "U1");
+ test_ctx->ctx, "u1");
fail_unless(test_ctx != NULL, "Cannot create request\n");
tevent_req_set_callback(req, simple_access_check_done, test_ctx);
@@ -496,7 +496,7 @@ START_TEST(test_group_case)
test_ctx->ctx->domain->case_sensitive = false;
req = simple_access_check_send(test_ctx, test_ctx->ev,
- test_ctx->ctx, "U1");
+ test_ctx->ctx, "u1");
fail_unless(test_ctx != NULL, "Cannot create request\n");
tevent_req_set_callback(req, simple_access_check_done, test_ctx);