From 55d21766613d11646da3e2e7df69ca02c03ee053 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Wed, 14 Mar 2012 05:29:45 -0400 Subject: Detect subdomain request in IPA access provider --- src/providers/ipa/ipa_access.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index b03a37f05..d7ded884f 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -85,6 +85,16 @@ void ipa_access_handler(struct be_req *be_req) be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); + if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) { + be_req->domain = new_subdomain(be_req, be_req->be_ctx->domain, pd->domain, NULL, NULL); + if (be_req->domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n")); + be_req->fn(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL); + return; + } + be_req->sysdb = be_req->domain->sysdb; + } + /* First, verify that this account isn't locked. * We need to do this in case the auth phase was * skipped (such as during GSSAPI single-sign-on -- cgit