summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/providers/ad/ad_init.c22
-rw-r--r--src/providers/ldap/ldap_common.c19
-rw-r--r--src/providers/ldap/ldap_common.h3
-rw-r--r--src/providers/ldap/ldap_init.c24
4 files changed, 49 insertions, 19 deletions
diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index c829cc861..d744c2a05 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -366,6 +366,7 @@ sssm_ad_access_init(struct be_ctx *bectx,
errno_t ret;
struct ad_access_ctx *access_ctx;
struct ad_id_ctx *ad_id_ctx;
+ const char *filter;
access_ctx = talloc_zero(bectx, struct ad_access_ctx);
if (!access_ctx) return ENOMEM;
@@ -392,10 +393,27 @@ sssm_ad_access_init(struct be_ctx *bectx,
ret = ENOMEM;
goto fail;
}
-
access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx;
+
+ /* If ad_access_filter is set, the value of ldap_acess_order is
+ * expire, filter, otherwise only expire
+ */
access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
- access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
+ filter = dp_opt_get_cstring(access_ctx->ad_options, AD_ACCESS_FILTER);
+ if (filter != NULL) {
+ access_ctx->sdap_access_ctx->filter = sdap_get_access_filter(
+ access_ctx->sdap_access_ctx,
+ filter);
+ if (access_ctx->sdap_access_ctx->filter == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER;
+ access_ctx->sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY;
+ } else {
+ access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
+ }
*ops = &ad_access_ops;
*pvt_data = access_ctx;
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
index 89786fa49..d4d171de1 100644
--- a/src/providers/ldap/ldap_common.c
+++ b/src/providers/ldap/ldap_common.c
@@ -1745,6 +1745,25 @@ char *sdap_get_id_specific_filter(TALLOC_CTX *mem_ctx,
return filter; /* NULL or not */
}
+char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,
+ const char *base_filter)
+{
+ char *filter = NULL;
+
+ if (base_filter == NULL) return NULL;
+
+ if (base_filter[0] == '(') {
+ /* This filter is wrapped in parentheses.
+ * Pass it as-is to the openldap libraries.
+ */
+ filter = talloc_strdup(mem_ctx, base_filter);
+ } else {
+ filter = talloc_asprintf(mem_ctx, "(%s)", base_filter);
+ }
+
+ return filter;
+}
+
errno_t
sdap_attrs_get_sid_str(TALLOC_CTX *mem_ctx,
struct sdap_idmap_ctx *idmap_ctx,
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index fb9a34c60..0bd6c9cc2 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -261,6 +261,9 @@ char *sdap_get_id_specific_filter(TALLOC_CTX *mem_ctx,
const char *base_filter,
const char *extra_filter);
+char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,
+ const char *base_filter);
+
errno_t msgs2attrs_array(TALLOC_CTX *mem_ctx, size_t count,
struct ldb_message **msgs,
struct sysdb_attrs ***attrs);
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 341338ca4..17874b132 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -341,7 +341,7 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
access_ctx->access_rule[c] = LDAP_ACCESS_FILTER;
filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
- SDAP_ACCESS_FILTER);
+ SDAP_ACCESS_FILTER);
if (filter == NULL) {
/* It's okay if this is NULL. In that case we will simply act
* like the 'deny' provider.
@@ -349,24 +349,14 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
DEBUG(0, ("Warning: LDAP access rule 'filter' is set, "
"but no ldap_access_filter configured. "
"All domain users will be denied access.\n"));
- }
- else {
- if (filter[0] == '(') {
- /* This filter is wrapped in parentheses.
- * Pass it as-is to the openldap libraries.
- */
- access_ctx->filter = filter;
- }
- else {
- /* Add parentheses around the filter */
- access_ctx->filter = talloc_asprintf(access_ctx, "(%s)", filter);
- if (access_ctx->filter == NULL) {
- ret = ENOMEM;
- goto done;
- }
+ } else {
+ access_ctx->filter = sdap_get_access_filter(access_ctx,
+ filter);
+ if (access_ctx->filter == NULL) {
+ ret = ENOMEM;
+ goto done;
}
}
-
} else if (strcasecmp(order_list[c], LDAP_ACCESS_EXPIRE_NAME) == 0) {
access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE;
generated by cgit (git 2.34.1) at 2024-04-23 21:59:26 +0000