SDAP: add enterprise principal strings for user searches

Unfortunately principal aliases with an alternative realm are stored in
IPA as the string representation of an enterprise principal, i.e.
name\@alt.realm@IPA.REALM. To be able to lookup the alternative
principal in LDAP properly the UPN search filter is extended to search
for this type of name as well.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4 files changed, 48 insertions, 4 deletions

diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index 713b1dadf..ff7ff2854 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -300,6 +300,11 @@ char *sdap_combine_filters(TALLOC_CTX *mem_ctx,
                            const char *base_filter,
                            const char *extra_filter);
 
+char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,
+                                             const char *attr_name,
+                                             const char *princ,
+                                             struct dp_option *sdap_basic_opts);
+
 char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,
                              const char *base_filter);
 
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index f27759e45..fe0e219a2 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -89,6 +89,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
     enum idmap_error_code err;
     char *sid;
     char *user_filter = NULL;
+    char *ep_filter;
 
     req = tevent_req_create(memctx, &state, struct users_get_state);
     if (!req) return NULL;
@@ -131,12 +132,17 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
             if (ret != EOK) {
                 goto done;
             }
+
+            ep_filter = get_enterprise_principal_string_filter(state,
+                                   ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
+                                   clean_value, ctx->opts->basic);
             /* TODO: Do we have to check the attribute names more carefully? */
-            user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s))",
+            user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s)%s)",
                                    ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
                                    clean_value,
                                    ctx->opts->user_map[SDAP_AT_USER_EMAIL].name,
-                                   clean_value);
+                                   clean_value,
+                                   ep_filter == NULL ? "" : ep_filter);
             talloc_zfree(clean_value);
             if (user_filter == NULL) {
                 DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 0a42b1866..702942772 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2682,7 +2682,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
     int ret;
     char *clean_name;
     bool use_id_mapping;
-    const char *search_attr;
+    const char *search_attr = NULL;
+    char *ep_filter;
 
     DEBUG(SSSDBG_TRACE_ALL, "Retrieving info for initgroups call\n");
 
@@ -2743,13 +2744,17 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
                 return NULL;
             }
 
+            ep_filter = get_enterprise_principal_string_filter(state,
+                                 state->opts->user_map[SDAP_AT_USER_PRINC].name,
+                                 clean_name, state->opts->basic);
             state->user_base_filter =
                     talloc_asprintf(state,
-                                 "(&(|(%s=%s)(%s=%s))(objectclass=%s)",
+                                 "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
                                  state->opts->user_map[SDAP_AT_USER_PRINC].name,
                                  clean_name,
                                  state->opts->user_map[SDAP_AT_USER_EMAIL].name,
                                  clean_name,
+                                 ep_filter == NULL ? "" : ep_filter,
                                  state->opts->user_map[SDAP_OC_USER].name);
             if (state->user_base_filter == NULL) {
                 talloc_zfree(req);
diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c
index a3a964217..0ac3ab2e4 100644
--- a/src/providers/ldap/sdap_utils.c
+++ b/src/providers/ldap/sdap_utils.c
@@ -227,3 +227,31 @@ char *sdap_combine_filters(TALLOC_CTX *mem_ctx,
 {
     return sdap_combine_filters_ex(mem_ctx, '&', base_filter, extra_filter);
 }
+
+char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,
+                                             const char *attr_name,
+                                             const char *princ,
+                                             struct dp_option *sdap_basic_opts)
+{
+    const char *realm;
+    char *p;
+
+    if (attr_name == NULL || princ == NULL || sdap_basic_opts == NULL) {
+        return NULL;
+    }
+
+    realm = dp_opt_get_cstring(sdap_basic_opts, SDAP_KRB5_REALM);
+    if (realm == NULL) {
+        return NULL;
+    }
+
+    p = strchr(princ, '@');
+    if (p == NULL) {
+        return NULL;
+    }
+
+    return talloc_asprintf(mem_ctx, "(%s=%.*s\\\\@%s@%s)", attr_name,
+                                                           (int) (p - princ),
+                                                           princ,
+                                                           p + 1, realm);
+}