diff options
| author | Sumit Bose <sbose@redhat.com> | 2016-06-20 12:58:16 +0200 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2016-07-22 14:17:54 +0200 |
| commit | 5dfb40f62fc88485265cea0a4ed51663a4fc127b (patch) | |
| tree | 191e8a2ee11a186184d97aad7c22446cbc16da57 | |
| parent | 1b458e7c765a861f9367a23512b4c57e68bdd710 (diff) | |
| download | sssd-5dfb40f62fc88485265cea0a4ed51663a4fc127b.tar.gz sssd-5dfb40f62fc88485265cea0a4ed51663a4fc127b.tar.xz sssd-5dfb40f62fc88485265cea0a4ed51663a4fc127b.zip | |
LDAP: include email in UPN searches
| -rw-r--r-- | src/providers/ldap/ldap_id.c | 18 | ||||
| -rw-r--r-- | src/providers/ldap/sdap_async_initgroups.c | 32 |
2 files changed, 40 insertions, 10 deletions
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 2fccc7e6c..f27759e45 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -127,12 +127,22 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, break; case BE_FILTER_NAME: if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { - attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name; - ret = sss_filter_sanitize(state, filter_value, &clean_value); if (ret != EOK) { goto done; } + /* TODO: Do we have to check the attribute names more carefully? */ + user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s))", + ctx->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_value, + ctx->opts->user_map[SDAP_AT_USER_EMAIL].name, + clean_value); + talloc_zfree(clean_value); + if (user_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } } else { attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name; @@ -242,8 +252,8 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, goto done; } - if (attr_name == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name.\n"); + if (attr_name == NULL && user_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n"); ret = EINVAL; goto done; } diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 17593f0a2..0a42b1866 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2736,13 +2736,25 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, break; case BE_FILTER_NAME: if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { - search_attr = state->opts->user_map[SDAP_AT_USER_PRINC].name; ret = sss_filter_sanitize(state, state->filter_value, &clean_name); if (ret != EOK) { talloc_zfree(req); return NULL; } + + state->user_base_filter = + talloc_asprintf(state, + "(&(|(%s=%s)(%s=%s))(objectclass=%s)", + state->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_name, + state->opts->user_map[SDAP_AT_USER_EMAIL].name, + clean_name, + state->opts->user_map[SDAP_OC_USER].name); + if (state->user_base_filter == NULL) { + talloc_zfree(req); + return NULL; + } } else { search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; @@ -2766,15 +2778,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, return NULL; } - state->user_base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", - search_attr, clean_name, - state->opts->user_map[SDAP_OC_USER].name); - if (!state->user_base_filter) { + if (search_attr == NULL && state->user_base_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n"); talloc_zfree(req); return NULL; } + if (state->user_base_filter == NULL) { + state->user_base_filter = + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", + search_attr, clean_name, + state->opts->user_map[SDAP_OC_USER].name); + if (!state->user_base_filter) { + talloc_zfree(req); + return NULL; + } + } + if (use_id_mapping) { /* When mapping IDs or looking for SIDs, we don't want to limit * ourselves to users with a UID value. But there must be a SID to map |