ipa: add support for certificate overrides

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4 files changed, 33 insertions, 0 deletions

diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index d1688bb6a..51de819c8 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -129,6 +129,7 @@ enum ipa_override_attrs {
     IPA_AT_OVERRIDE_GROUP_NAME,
     IPA_AT_OVERRIDE_GROUP_GID_NUMBER,
     IPA_AT_OVERRIDE_USER_SSH_PUBLIC_KEY,
+    IPA_AT_OVERRIDE_USER_CERT,
 
     IPA_OPTS_OVERRIDE
 };
diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c
index 5b0b44e24..a0c318a51 100644
--- a/src/providers/ipa/ipa_opts.c
+++ b/src/providers/ipa/ipa_opts.c
@@ -289,6 +289,7 @@ struct sdap_attr_map ipa_override_map[] = {
     { "ldap_group_name", "cn", SYSDB_NAME, NULL },
     { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL },
     { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL },
+    { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL },
     SDAP_ATTR_MAP_TERMINATOR
 };
 
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index f98f8bf8e..e8dd82446 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -402,6 +402,7 @@ struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx,
         case BE_REQ_USER:
         case BE_REQ_GROUP:
         case BE_REQ_BY_SECID:
+        case BE_REQ_BY_CERT:
         case BE_REQ_USER_AND_GROUP:
             ret = EOK;
             break;
@@ -526,6 +527,11 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq)
                 return;
             }
             break;
+        case BE_FILTER_CERT:
+            DEBUG(SSSDBG_OP_FAILURE, "Lookup by certificate not supported yet.\n");
+            state->dp_error = dp_error;
+            tevent_req_error(req, EINVAL);
+            return;
         default:
             DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n");
             state->dp_error = dp_error;
diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c
index 00dcbeb75..76528a60c 100644
--- a/src/providers/ipa/ipa_views.c
+++ b/src/providers/ipa/ipa_views.c
@@ -24,6 +24,7 @@
 
 #include "util/util.h"
 #include "util/strtonum.h"
+#include "util/cert.h"
 #include "providers/ldap/sdap_async.h"
 #include "providers/ipa/ipa_id.h"
 
@@ -35,6 +36,8 @@ static errno_t be_acct_req_to_override_filter(TALLOC_CTX *mem_ctx,
     char *filter;
     uint32_t id;
     char *endptr;
+    char *cert_filter;
+    int ret;
 
     switch (ar->filter_type) {
     case BE_FILTER_NAME:
@@ -140,6 +143,28 @@ static errno_t be_acct_req_to_override_filter(TALLOC_CTX *mem_ctx,
         }
         break;
 
+    case BE_FILTER_CERT:
+        if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_CERT) {
+            ret = sss_cert_derb64_to_ldap_filter(mem_ctx, ar->filter_value,
+                         ipa_opts->override_map[IPA_AT_OVERRIDE_USER_CERT].name,
+                         &cert_filter);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "sss_cert_derb64_to_ldap_filter failed.\n");
+                return ret;
+            }
+            filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)%s)",
+                        ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name,
+                        cert_filter);
+            talloc_free(cert_filter);
+        } else {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Unexpected entry type [%d] for certificate filter.\n",
+                  ar->entry_type);
+            return EINVAL;
+        }
+        break;
+
     default:
         DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n");
         return EINVAL;