diff options
author | Sumit Bose <sbose@redhat.com> | 2016-02-10 14:59:06 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-04-13 10:43:18 +0200 |
commit | 63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4 (patch) | |
tree | afdc2fb931b8233671a9c79fd9245d65fc971bff /src/providers/ad/ad_id.c | |
parent | 28f336bdb32db0b89cb98174a3f8e308e4e928db (diff) | |
download | sssd-63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4.tar.gz sssd-63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4.tar.xz sssd-63b8e826f62d2e8930c872de7d4cc8b5bc15d4a4.zip |
AD: process PAC during initgroups request
If there is a recently attached PAC blob in the cached user entry the
PAC data is used to update the group memberships data of the user. If
there is no PAC attached or if it is too old the other configured
methods will be used.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/providers/ad/ad_id.c')
-rw-r--r-- | src/providers/ad/ad_id.c | 52 |
1 files changed, 44 insertions, 8 deletions
diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index 9832aea97..c464fa948 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -24,6 +24,7 @@ #include "providers/ad/ad_common.h" #include "providers/ad/ad_id.h" #include "providers/ad/ad_domain_info.h" +#include "providers/ad/ad_pac.h" #include "providers/ldap/sdap_async_enum.h" #include "providers/ldap/sdap_idmap.h" @@ -57,6 +58,7 @@ struct ad_handle_acct_info_state { struct sdap_domain *sdom; size_t cindex; struct ad_options *ad_options; + bool using_pac; int dp_error; const char *err; @@ -117,10 +119,12 @@ immediate: static errno_t ad_handle_acct_info_step(struct tevent_req *req) { - struct tevent_req *subreq; + struct tevent_req *subreq = NULL; struct ad_handle_acct_info_state *state = tevent_req_data(req, struct ad_handle_acct_info_state); bool noexist_delete = false; + struct ldb_message *msg; + int ret; if (state->conn[state->cindex] == NULL) { return EOK; @@ -130,14 +134,42 @@ ad_handle_acct_info_step(struct tevent_req *req) noexist_delete = true; } - subreq = sdap_handle_acct_req_send(state, state->ctx->be, - state->ar, state->ctx, - state->sdom, - state->conn[state->cindex], - noexist_delete); + + state->using_pac = false; + if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) { + ret = check_if_pac_is_available(state, state->sdom->dom, + state->ar, &msg); + + if (ret == EOK) { + /* evaluate PAC */ + state->using_pac = true; + subreq = ad_handle_pac_initgr_send(state, state->ctx->be, + state->ar, state->ctx, + state->sdom, + state->conn[state->cindex], + noexist_delete, + msg); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ad_handle_pac_initgr_send failed.\n"); + return ENOMEM; + } + + } + + /* Fall through if there is no PAC or any other error */ + } + if (subreq == NULL) { - return ENOMEM; + subreq = sdap_handle_acct_req_send(state, state->ctx->be, + state->ar, state->ctx, + state->sdom, + state->conn[state->cindex], + noexist_delete); + if (subreq == NULL) { + return ENOMEM; + } } + tevent_req_set_callback(subreq, ad_handle_acct_info_done, req); return EAGAIN; } @@ -154,7 +186,11 @@ ad_handle_acct_info_done(struct tevent_req *subreq) struct ad_handle_acct_info_state *state = tevent_req_data(req, struct ad_handle_acct_info_state); - ret = sdap_handle_acct_req_recv(subreq, &dp_error, &err, &sdap_err); + if (state->using_pac) { + ret = ad_handle_pac_initgr_recv(subreq, &dp_error, &err, &sdap_err); + } else { + ret = sdap_handle_acct_req_recv(subreq, &dp_error, &err, &sdap_err); + } if (dp_error == DP_ERR_OFFLINE && state->conn[state->cindex+1] != NULL && state->conn[state->cindex]->ignore_mark_offline) { |