diff options
| author | Sumit Bose <sbose@redhat.com> | 2016-04-22 17:56:05 +0200 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2016-06-09 16:12:25 +0200 |
| commit | 21513e51a4a2eb08f245333bf8f223713a3d7cb3 (patch) | |
| tree | d5b7c2bce5dd34a9789204a746902a8340e47ba3 /src/providers/ipa | |
| parent | 2f90ec2e16f0c14c789d9ed20e008e3103337210 (diff) | |
| download | sssd-21513e51a4a2eb08f245333bf8f223713a3d7cb3.tar.gz sssd-21513e51a4a2eb08f245333bf8f223713a3d7cb3.tar.xz sssd-21513e51a4a2eb08f245333bf8f223713a3d7cb3.zip | |
IPA: allow lookups by cert in sub-domains on the client
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/providers/ipa')
| -rw-r--r-- | src/providers/ipa/ipa_s2n_exop.c | 25 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains.h | 4 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_subdomains_id.c | 21 |
3 files changed, 41 insertions, 9 deletions
diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index 0ff7d928b..84f1c5ad0 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -36,7 +36,8 @@ enum input_types { INP_SID = 1, INP_NAME, INP_POSIX_UID, - INP_POSIX_GID + INP_POSIX_GID, + INP_CERT }; enum request_types { @@ -354,11 +355,22 @@ static errno_t s2n_encode_request(TALLOC_CTX *mem_ctx, break; case BE_REQ_BY_SECID: if (req_input->type == REQ_INP_SECID) { - ret = ber_printf(ber, "{ees}", INP_SID, request_type, - req_input->inp.secid); + ret = ber_printf(ber, "{ees}", INP_SID, request_type, + req_input->inp.secid); } else { DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", - req_input->type == REQ_INP_ID); + req_input->type == REQ_INP_ID); + ret = EINVAL; + goto done; + } + break; + case BE_REQ_BY_CERT: + if (req_input->type == REQ_INP_CERT) { + ret = ber_printf(ber, "{ees}", INP_CERT, request_type, + req_input->inp.cert); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + req_input->type); ret = EINVAL; goto done; } @@ -1535,6 +1547,11 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) talloc_zfree(subreq); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "s2n exop request failed.\n"); + if (state->req_input->type == REQ_INP_CERT) { + DEBUG(SSSDBG_OP_FAILURE, + "Maybe the server does not support lookups by " + "certificates.\n"); + } goto done; } diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 23c3b7e3c..9eb841b02 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -116,7 +116,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx, enum req_input_type { REQ_INP_NAME, REQ_INP_ID, - REQ_INP_SECID + REQ_INP_SECID, + REQ_INP_CERT }; struct req_input { @@ -125,6 +126,7 @@ struct req_input { const char *name; uint32_t id; const char *secid; + const char *cert; } inp; }; diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index e8dd82446..665ff635b 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -528,10 +528,23 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq) } break; case BE_FILTER_CERT: - DEBUG(SSSDBG_OP_FAILURE, "Lookup by certificate not supported yet.\n"); - state->dp_error = dp_error; - tevent_req_error(req, EINVAL); - return; + if (sdap_is_extension_supported(sdap_id_op_handle(state->op), + EXOP_SID2NAME_V1_OID)) { + req_input->type = REQ_INP_CERT; + req_input->inp.cert = talloc_strdup(req_input, state->filter); + if (req_input->inp.cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Lookup by certificate not supported by the server.\n"); + state->dp_error = DP_ERR_OK; + tevent_req_error(req, EINVAL); + return; + } + break; default: DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n"); state->dp_error = dp_error; |