diff options
| author | Sumit Bose <sbose@redhat.com> | 2015-01-22 21:20:25 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-26 23:41:13 +0100 |
| commit | 63748c69a2c6785d949c82f94749704e0408e5a7 (patch) | |
| tree | 68b843753dba9485c9edf0a613d6f3555e71806c /src/providers/ipa/ipa_subdomains_id.c | |
| parent | e438fbf102c3d787902504bdae177e84230cbbc9 (diff) | |
| download | sssd-63748c69a2c6785d949c82f94749704e0408e5a7.tar.gz sssd-63748c69a2c6785d949c82f94749704e0408e5a7.tar.xz sssd-63748c69a2c6785d949c82f94749704e0408e5a7.zip | |
IPA: resolve IPA group-memberships for AD users
So far only for initgroups requests the IPA group memberships where
resolved for AD users and due to
6fac5e5f0c54a0f92872ce1450606cfcb577a920 those memberships are not
overridden by other request. But it turned out that the originalMemberOf
attributes related to the IPA group memberships can be overridden by
user lookups. Since the originalMemberOf attribute is important in the
HBAC evaluation this patch makes sure that the originalMemberOf
attribute is not removed but updated during user lookups.
Related to https://fedorahosted.org/sssd/ticket/2560
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/ipa/ipa_subdomains_id.c')
| -rw-r--r-- | src/providers/ipa/ipa_subdomains_id.c | 44 |
1 files changed, 42 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 79285548d..c8714a216 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -1099,6 +1099,8 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) struct ipa_get_ad_acct_state); errno_t ret; struct tevent_req *subreq; + const char *obj_name; + int entry_type; if (state->override_attrs != NULL) { /* We are in ipa-server-mode, so the view is the default view by @@ -1112,13 +1114,51 @@ static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) } } - if ((state->ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS) { + entry_type = (state->ar->entry_type & BE_REQ_TYPE_MASK); + if (entry_type != BE_REQ_INITGROUPS + && entry_type != BE_REQ_USER + && entry_type != BE_REQ_BY_SECID) { tevent_req_done(req); return EOK; } + /* Replace ID with name in search filter */ + if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM) + || entry_type == BE_REQ_BY_SECID) { + if (state->obj_msg == NULL) { + ret = get_object_from_cache(state, state->obj_dom, state->ar, + &state->obj_msg); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Object not found, ending request\n"); + tevent_req_done(req); + return EOK; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n"); + return ret; + } + } + + obj_name = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_NAME, + NULL); + if (obj_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cached object has no name.\n"); + return EINVAL; + } + + state->ar->filter_value = talloc_strdup(state->ar, obj_name); + if (state->ar->filter_value == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + state->ar->filter_type = BE_FILTER_NAME; + state->ar->entry_type = BE_REQ_USER; + } + + /* For initgroups request we have to check IPA group memberships of AD - * users. */ + * users. This has to be done for other user-request as well to make sure + * IPA related attributes are not overwritten. */ subreq = ipa_get_ad_memberships_send(state, state->ev, state->ar, state->ipa_ctx->server_mode, state->obj_dom, |