From 0ad1bcec60a2ec67a602e0ad1888f859d6009d54 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 20 Jun 2016 12:58:55 +0200 Subject: IPA: make get_object_from_cache() aware of UPN searches Reviewed-by: Jakub Hrozek --- src/providers/ipa/ipa_hbac_common.c | 10 ++++++++-- src/providers/ipa/ipa_hbac_users.c | 18 ++++++++++++++++++ src/providers/ipa/ipa_subdomains_id.c | 17 ++++++++++++----- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c index 7edaf576e..b99b75d32 100644 --- a/src/providers/ipa/ipa_hbac_common.c +++ b/src/providers/ipa/ipa_hbac_common.c @@ -515,6 +515,7 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message_element *el; const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL }; + char *shortname; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) return ENOMEM; @@ -525,13 +526,18 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, goto done; } - users->name = username; + ret = sss_parse_internal_fqname(tmp_ctx, username, &shortname, NULL); + if (ret != EOK) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + users->name = talloc_steal(users, shortname); /* Read the originalMemberOf attribute * This will give us the list of both POSIX and * non-POSIX groups that this user belongs to. */ - ret = sysdb_search_user_by_name(tmp_ctx, domain, users->name, + ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs, &msg); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c index a8d52ffa5..44745cae7 100644 --- a/src/providers/ipa/ipa_hbac_users.c +++ b/src/providers/ipa/ipa_hbac_users.c @@ -53,6 +53,8 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, */ *groupname = NULL; + DEBUG(SSSDBG_TRACE_LIBS, "Parsing %s\n", group_dn); + dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), group_dn); if (dn == NULL) { ret = ENOMEM; @@ -60,6 +62,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, } if (!ldb_dn_validate(dn)) { + DEBUG(SSSDBG_CRIT_FAILURE, "DN %s does not validate\n", group_dn); ret = ERR_MALFORMED_ENTRY; goto done; } @@ -67,6 +70,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, if (ldb_dn_get_comp_num(dn) < 4) { /* RDN, groups, accounts, and at least one DC= */ /* If it's fewer, it's not a group DN */ + DEBUG(SSSDBG_CRIT_FAILURE, "DN %s has too few components\n", group_dn); ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -77,6 +81,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, /* Shouldn't happen if ldb_dn_validate() * passed, but we'll be careful. */ + DEBUG(SSSDBG_CRIT_FAILURE, "No RDN name in %s\n", group_dn); ret = ERR_MALFORMED_ENTRY; goto done; } @@ -85,6 +90,8 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, /* RDN has the wrong attribute name. * It's not a group. */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn in RDN, got %s\n", rdn_name); ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -93,6 +100,8 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, group_comp_name = ldb_dn_get_component_name(dn, 1); if (strcasecmp("cn", group_comp_name) != 0) { /* The second component name is not "cn" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn in second component, got %s\n", group_comp_name); ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -102,6 +111,9 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, (const char *) group_comp_val->data, group_comp_val->length) != 0) { /* The second component value is not "groups" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected groups second component, got %s\n", + (const char *) group_comp_val->data); ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -110,6 +122,8 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, account_comp_name = ldb_dn_get_component_name(dn, 2); if (strcasecmp("cn", account_comp_name) != 0) { /* The third component name is not "cn" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn in second component, got %s\n", account_comp_name); ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -119,6 +133,9 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, (const char *) account_comp_val->data, account_comp_val->length) != 0) { /* The third component value is not "accounts" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn accounts second component, got %s\n", + (const char *) account_comp_val->data); ret = ERR_UNEXPECTED_ENTRY_TYPE; goto done; } @@ -132,6 +149,7 @@ get_ipa_groupname(TALLOC_CTX *mem_ctx, ret = ENOMEM; goto done; } + DEBUG(SSSDBG_TRACE_LIBS, "Parsed %s out of the DN\n", *groupname); ret = EOK; diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 7367080e5..65bfd3376 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -1034,12 +1034,19 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, case BE_REQ_INITGROUPS: case BE_REQ_USER: case BE_REQ_USER_AND_GROUP: - ret = sysdb_search_user_by_name(mem_ctx, dom, ar->filter_value, - attrs, &msg); - if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK) + if (ar->extra_value + && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) { + ret = sysdb_search_user_by_upn(mem_ctx, dom, ar->filter_value, + attrs, &msg); + } else { + ret = sysdb_search_user_by_name(mem_ctx, dom, ar->filter_value, + attrs, &msg); + if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_USER_AND_GROUP) { - ret = sysdb_search_group_by_name(mem_ctx, dom, ar->filter_value, - attrs, &msg); + ret = sysdb_search_group_by_name(mem_ctx, dom, + ar->filter_value, attrs, + &msg); + } } break; default: -- cgit