diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-06 20:23:07 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-25 21:02:43 +0200 |
commit | 443eb8217741df57d9f58f2098487b91e3404e71 (patch) | |
tree | 013d5921211dbcd981394218c692d769f2d9adef /src/providers/ldap/ldap_access.c | |
parent | f64296c40e07614668c4ac4c978bc8980fb6a7db (diff) | |
download | sssd-443eb8217741df57d9f58f2098487b91e3404e71.tar.gz sssd-443eb8217741df57d9f58f2098487b91e3404e71.tar.xz sssd-443eb8217741df57d9f58f2098487b91e3404e71.zip |
LDAP: Amend sdap_access_check to allow any connection
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
Diffstat (limited to 'src/providers/ldap/ldap_access.c')
-rw-r--r-- | src/providers/ldap/ldap_access.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/providers/ldap/ldap_access.c b/src/providers/ldap/ldap_access.c index 8d5b5e228..c468a1cd5 100644 --- a/src/providers/ldap/ldap_access.c +++ b/src/providers/ldap/ldap_access.c @@ -50,6 +50,7 @@ void sdap_pam_access_handler(struct be_req *breq) struct pam_data *pd; struct tevent_req *req; struct sdap_access_ctx *access_ctx; + struct sss_domain_info *dom; pd = talloc_get_type(be_req_get_data(breq), struct pam_data); @@ -57,8 +58,16 @@ void sdap_pam_access_handler(struct be_req *breq) talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct sdap_access_ctx); + dom = be_ctx->domain; + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + /* Subdomain request, verify subdomain */ + dom = find_subdomain_by_name(be_ctx->domain, pd->domain, true); + } + req = sdap_access_send(breq, be_ctx->ev, be_ctx, - be_ctx->domain, access_ctx, pd); + dom, access_ctx, + access_ctx->id_ctx->conn, + pd); if (req == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to start sdap_access request\n")); sdap_access_reply(breq, PAM_SYSTEM_ERR); |