diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2016-04-22 18:32:26 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-06-03 09:53:33 +0200 |
| commit | eedfc2cced329731c90317a5be3cd82a3749eb8a (patch) | |
| tree | 7b3c93d4bee803fc6b2ef43e4987f15a67e7fcfb /src/providers/ldap | |
| parent | 45e11be651dbd3855a35de4abd2922e5b9d4b963 (diff) | |
| download | sssd-eedfc2cced329731c90317a5be3cd82a3749eb8a.tar.gz sssd-eedfc2cced329731c90317a5be3cd82a3749eb8a.tar.xz sssd-eedfc2cced329731c90317a5be3cd82a3749eb8a.zip | |
LDAP: Try also the AD access control for IPA users
Resolves:
https://fedorahosted.org/sssd/ticket/2927
If a user from an AD trusted domain is logging in, we should also check
their AD lockout status. This helps cases where the user might have been
disabled but is logging in with an SSH public key.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/providers/ldap')
| -rw-r--r-- | src/providers/ldap/sdap_access.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index 3ef45b717..14ec34508 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -741,6 +741,21 @@ static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx, DEBUG(SSSDBG_CRIT_FAILURE, "sdap_account_expired_rhds failed.\n"); } + + if (ret == EOK && + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "IPA access control succeeded, checking AD " + "access control\n"); + ret = sdap_account_expired_ad(pd, user_entry); + if (ret == ERR_ACCOUNT_EXPIRED || ret == ERR_ACCESS_DENIED) { + DEBUG(SSSDBG_TRACE_FUNC, + "sdap_account_expired_ad: %s.\n", sss_strerror(ret)); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_account_expired_ad failed.\n"); + } + } } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) { ret = sdap_account_expired_nds(pd, user_entry); if (ret == ERR_ACCESS_DENIED) { |