From 0b23970978de5c1088a5dbdd6012800b4db94572 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Sun, 6 Oct 2013 20:23:07 +0200 Subject: LDAP: Amend sdap_access_check to allow any connection Related: https://fedorahosted.org/sssd/ticket/2082 Also move the check for subdomain to the handler. I think it is the job of the handler to decide which domain the request belongs to, not the request itself. --- src/providers/ldap/ldap_access.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'src/providers/ldap/ldap_access.c') diff --git a/src/providers/ldap/ldap_access.c b/src/providers/ldap/ldap_access.c index bb5c37f44..b3920b7ac 100644 --- a/src/providers/ldap/ldap_access.c +++ b/src/providers/ldap/ldap_access.c @@ -49,6 +49,7 @@ void sdap_pam_access_handler(struct be_req *breq) struct pam_data *pd; struct tevent_req *req; struct sdap_access_ctx *access_ctx; + struct sss_domain_info *dom; pd = talloc_get_type(be_req_get_data(breq), struct pam_data); @@ -56,8 +57,16 @@ void sdap_pam_access_handler(struct be_req *breq) talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct sdap_access_ctx); + dom = be_ctx->domain; + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + /* Subdomain request, verify subdomain */ + dom = find_subdomain_by_name(be_ctx->domain, pd->domain, true); + } + req = sdap_access_send(breq, be_ctx->ev, be_ctx, - be_ctx->domain, access_ctx, pd); + dom, access_ctx, + access_ctx->id_ctx->conn, + pd); if (req == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to start sdap_access request\n")); sdap_access_reply(breq, PAM_SYSTEM_ERR); -- cgit