diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-06 20:23:07 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-25 21:02:43 +0200 |
commit | 443eb8217741df57d9f58f2098487b91e3404e71 (patch) | |
tree | 013d5921211dbcd981394218c692d769f2d9adef /src | |
parent | f64296c40e07614668c4ac4c978bc8980fb6a7db (diff) | |
download | sssd-443eb8217741df57d9f58f2098487b91e3404e71.tar.gz sssd-443eb8217741df57d9f58f2098487b91e3404e71.tar.xz sssd-443eb8217741df57d9f58f2098487b91e3404e71.zip |
LDAP: Amend sdap_access_check to allow any connection
Related:
https://fedorahosted.org/sssd/ticket/2082
Also move the check for subdomain to the handler. I think it is the job
of the handler to decide which domain the request belongs to, not the
request itself.
Diffstat (limited to 'src')
-rw-r--r-- | src/providers/ad/ad_access.c | 4 | ||||
-rw-r--r-- | src/providers/ipa/ipa_access.c | 13 | ||||
-rw-r--r-- | src/providers/ldap/ldap_access.c | 11 | ||||
-rw-r--r-- | src/providers/ldap/sdap_access.c | 40 | ||||
-rw-r--r-- | src/providers/ldap/sdap_access.h | 2 |
5 files changed, 44 insertions, 26 deletions
diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c index 746017dc5..cf6412f22 100644 --- a/src/providers/ad/ad_access.c +++ b/src/providers/ad/ad_access.c @@ -56,7 +56,9 @@ ad_access_handler(struct be_req *breq) /* Verify that the account is not locked */ req = sdap_access_send(breq, be_ctx->ev, be_ctx, domain, - access_ctx->sdap_access_ctx, pd); + access_ctx->sdap_access_ctx, + access_ctx->sdap_access_ctx->id_ctx->conn, + pd); if (!req) { be_req_terminate(breq, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL); return; diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 7d44788af..f067b7021 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -78,6 +78,7 @@ void ipa_access_handler(struct be_req *be_req) struct pam_data *pd; struct ipa_access_ctx *ipa_access_ctx; struct tevent_req *req; + struct sss_domain_info *dom; struct be_ctx *be_ctx = be_req_get_be_ctx(be_req); pd = talloc_get_type(be_req_get_data(be_req), struct pam_data); @@ -85,13 +86,21 @@ void ipa_access_handler(struct be_req *be_req) ipa_access_ctx = talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); + dom = be_ctx->domain; + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + /* Subdomain request, verify subdomain */ + dom = find_subdomain_by_name(be_ctx->domain, pd->domain, true); + } + /* First, verify that this account isn't locked. * We need to do this in case the auth phase was * skipped (such as during GSSAPI single-sign-on * or SSH public key exchange. */ - req = sdap_access_send(be_req, be_ctx->ev, be_ctx, be_ctx->domain, - ipa_access_ctx->sdap_access_ctx, pd); + req = sdap_access_send(be_req, be_ctx->ev, be_ctx, dom, + ipa_access_ctx->sdap_access_ctx, + ipa_access_ctx->sdap_access_ctx->id_ctx->conn, + pd); if (!req) { be_req_terminate(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL); return; diff --git a/src/providers/ldap/ldap_access.c b/src/providers/ldap/ldap_access.c index 8d5b5e228..c468a1cd5 100644 --- a/src/providers/ldap/ldap_access.c +++ b/src/providers/ldap/ldap_access.c @@ -50,6 +50,7 @@ void sdap_pam_access_handler(struct be_req *breq) struct pam_data *pd; struct tevent_req *req; struct sdap_access_ctx *access_ctx; + struct sss_domain_info *dom; pd = talloc_get_type(be_req_get_data(breq), struct pam_data); @@ -57,8 +58,16 @@ void sdap_pam_access_handler(struct be_req *breq) talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct sdap_access_ctx); + dom = be_ctx->domain; + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + /* Subdomain request, verify subdomain */ + dom = find_subdomain_by_name(be_ctx->domain, pd->domain, true); + } + req = sdap_access_send(breq, be_ctx->ev, be_ctx, - be_ctx->domain, access_ctx, pd); + dom, access_ctx, + access_ctx->id_ctx->conn, + pd); if (req == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to start sdap_access request\n")); sdap_access_reply(breq, PAM_SYSTEM_ERR); diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index 9d1315fab..267a2b863 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -45,6 +45,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct sss_domain_info *domain, struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, const char *username, struct ldb_message *user_entry); static errno_t sdap_access_filter_recv(struct tevent_req *req); @@ -62,6 +63,7 @@ struct sdap_access_req_ctx { struct pam_data *pd; struct tevent_context *ev; struct sdap_access_ctx *access_ctx; + struct sdap_id_conn_ctx *conn; struct be_ctx *be_ctx; struct sss_domain_info *domain; struct ldb_message *user_entry; @@ -78,6 +80,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct sss_domain_info *domain, struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, struct pam_data *pd) { errno_t ret; @@ -85,7 +88,6 @@ sdap_access_send(TALLOC_CTX *mem_ctx, struct tevent_req *req; struct ldb_result *res; const char *attrs[] = { "*", NULL }; - struct sss_domain_info *user_dom; req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx); if (req == NULL) { @@ -98,6 +100,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx, state->pd = pd; state->ev = ev; state->access_ctx = access_ctx; + state->conn = conn; state->current_rule = 0; DEBUG(6, ("Performing access check for user [%s]\n", pd->user)); @@ -108,20 +111,9 @@ sdap_access_send(TALLOC_CTX *mem_ctx, goto done; } - /* Get original user DN, take care of subdomain users as well */ - if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { - user_dom = find_subdomain_by_name(be_ctx->domain, pd->domain, true); - if (user_dom == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("find_subdomain_by_name failed.\n")); - ret = ENOMEM; - goto done; - } - ret = sysdb_get_user_attr(state, user_dom->sysdb, user_dom, - pd->user, attrs, &res); - } else { - ret = sysdb_get_user_attr(state, domain->sysdb, domain, - pd->user, attrs, &res); - } + /* Get original user DN, domain already points to the right (sub)domain */ + ret = sysdb_get_user_attr(state, domain->sysdb, domain, + pd->user, attrs, &res); if (ret != EOK) { if (ret == ENOENT) { /* If we can't find the user, return access denied */ @@ -177,6 +169,7 @@ static errno_t check_next_rule(struct sdap_access_req_ctx *state, subreq = sdap_access_filter_send(state, state->ev, state->be_ctx, state->domain, state->access_ctx, + state->conn, state->pd->user, state->user_entry); if (subreq == NULL) { @@ -624,7 +617,8 @@ struct sdap_access_filter_req_ctx { const char *filter; struct tevent_context *ev; struct sdap_access_ctx *access_ctx; - struct sdap_id_ctx *sdap_ctx; + struct sdap_options *opts; + struct sdap_id_conn_ctx *conn; struct sdap_id_op *sdap_op; struct sysdb_handle *handle; struct sss_domain_info *domain; @@ -641,6 +635,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct sss_domain_info *domain, struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, const char *username, struct ldb_message *user_entry) { @@ -664,7 +659,8 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx, state->filter = NULL; state->username = username; - state->sdap_ctx = access_ctx->id_ctx; + state->opts = access_ctx->id_ctx->opts; + state->conn = conn; state->ev = ev; state->access_ctx = access_ctx; state->domain = domain; @@ -707,9 +703,9 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx, state->filter = talloc_asprintf( state, "(&(%s=%s)(objectclass=%s)%s)", - state->sdap_ctx->opts->user_map[SDAP_AT_USER_NAME].name, + state->opts->user_map[SDAP_AT_USER_NAME].name, clean_username, - state->sdap_ctx->opts->user_map[SDAP_OC_USER].name, + state->opts->user_map[SDAP_OC_USER].name, state->access_ctx->filter); if (state->filter == NULL) { DEBUG(0, ("Could not construct access filter\n")); @@ -721,7 +717,7 @@ static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx, DEBUG(6, ("Checking filter against LDAP\n")); state->sdap_op = sdap_id_op_create(state, - state->sdap_ctx->conn->conn_cache); + state->conn->conn_cache); if (!state->sdap_op) { DEBUG(2, ("sdap_id_op_create failed\n")); ret = ENOMEM; @@ -805,13 +801,13 @@ static void sdap_access_filter_connect_done(struct tevent_req *subreq) */ subreq = sdap_get_generic_send(state, state->ev, - state->sdap_ctx->opts, + state->opts, sdap_id_op_handle(state->sdap_op), state->basedn, LDAP_SCOPE_BASE, state->filter, NULL, NULL, 0, - dp_opt_get_int(state->sdap_ctx->opts->basic, + dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT), false); if (subreq == NULL) { diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h index cda078688..30097e21f 100644 --- a/src/providers/ldap/sdap_access.h +++ b/src/providers/ldap/sdap_access.h @@ -26,6 +26,7 @@ #define SDAP_ACCESS_H_ #include "providers/dp_backend.h" +#include "providers/ldap/ldap_common.h" #define SYSDB_LDAP_ACCESS_FILTER "ldap_access_filter_allow" @@ -62,6 +63,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, struct sss_domain_info *domain, struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, struct pam_data *pd); errno_t sdap_access_recv(struct tevent_req *req); |