From 94a66f84bd3c28fcabffeb84c682dccf89d89c2b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 16 Nov 2012 20:25:43 +0000
Subject: Do not save HBAC rules in subdomain subtree

Currently the sysdb context is pointed to the subdomain subtree
containing user the user to be checked at the beginning of a HBAC
request. As a result all HBAC rules and related data is save in the
subdomain tree as well. But since the HBAC rules of the configured
domain apply to all users it is sufficient to save them once in the
subtree of the configured domain.

Since most of the sysdb operations during a HBAC request are related to
the HBAC rules and related data this patch does not change the default
sysdb context but only create a special context to look up subdomain
users.
---
 src/providers/ldap/sdap_access.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

(limited to 'src/providers/ldap')

diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 88b52e26b..b198e0435 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -139,6 +139,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
     struct tevent_req *req;
     struct ldb_result *res;
     const char *attrs[] = { "*", NULL };
+    struct sss_domain_info *user_dom;
 
     req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx);
     if (req == NULL) {
@@ -162,9 +163,21 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
-    /* Get original user DN */
-    ret = sysdb_get_user_attr(state, be_req->sysdb,
-                              pd->user, attrs, &res);
+    /* Get original user DN, take care of subdomain users as well */
+    if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) {
+        user_dom = new_subdomain(state, be_req->be_ctx->domain, pd->domain,
+                                 NULL, NULL);
+        if (user_dom == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
+            ret = ENOMEM;
+            goto done;
+        }
+        ret = sysdb_get_user_attr(state, user_dom->sysdb,
+                                  pd->user, attrs, &res);
+    } else {
+        ret = sysdb_get_user_attr(state, be_req->sysdb,
+                                  pd->user, attrs, &res);
+    }
     if (ret != EOK) {
         if (ret == ENOENT) {
             /* If we can't find the user, return permission denied */
-- 
cgit