LDAP: Qualify user and group names when saving the sudo users

If the sudoUser values we fetch from LDAP correspond to a user or a
group name per:
    http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html
then we parse the usernames into (name,domain) tuples and store them
qualified.

This patch not only makes the sudo provider work with qualified names,
but also makes it possible to use qualified names on the LDAP side,
allowing for example AD users from different domains to access sudo
rules.

Reviewed-by: Sumit Bose <sbose@redhat.com>

2 files changed, 34 insertions, 0 deletions

diff --git a/src/util/util.c b/src/util/util.c
index d7d3ac90a..89abfe734 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -1244,3 +1244,34 @@ done:
 
     return ret;
 }
+
+bool is_user_or_group_name(const char *sudo_user_value)
+{
+    if (sudo_user_value == NULL) {
+        return false;
+    }
+
+    /* See man sudoers.ldap for explanation */
+    if (strcmp(sudo_user_value, "ALL") == 0) {
+        return false;
+    }
+
+    switch (sudo_user_value[0]) {
+    case '#':           /* user id */
+    case '+':           /* netgroup */
+    case '\0':          /* empty value */
+        return false;
+    }
+
+    if (sudo_user_value[0] == '%') {
+        switch (sudo_user_value[1]) {
+        case '#':           /* POSIX group ID */
+        case ':':           /* non-POSIX group */
+        case '\0':          /* empty value */
+            return false;
+        }
+    }
+
+    /* Now it's either a username or a groupname */
+    return true;
+}
diff --git a/src/util/util.h b/src/util/util.h
index 3b8acd1c5..3ed8444b5 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -381,6 +381,9 @@ errno_t sss_hash_create_ex(TALLOC_CTX *mem_ctx,
                            hash_delete_callback *delete_callback,
                            void *delete_private_data);
 
+/* Returns true if sudoUser value is a username or a groupname */
+bool is_user_or_group_name(const char *sudo_user_value);
+
 /**
  * @brief Add two list of strings
  *