summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-06-04 10:28:15 -0400
committerStephen Gallagher <sgallagh@redhat.com>2010-06-09 08:29:35 -0400
commita6dbe52dc824f8338d209ef5c56f9e345aeeb2fe (patch)
tree555182f7bb78e0f2bbec38ef3a09aa559c00476f
parentcd08e2f935f70ea884520793588b43ad8114465a (diff)
downloadsssd-a6dbe52dc824f8338d209ef5c56f9e345aeeb2fe.tar.gz
sssd-a6dbe52dc824f8338d209ef5c56f9e345aeeb2fe.tar.bz2
sssd-a6dbe52dc824f8338d209ef5c56f9e345aeeb2fe.zip
Allow ldap_access_filter values wrapped in parentheses
-rw-r--r--src/providers/ldap/ldap_init.c22
-rw-r--r--src/providers/ldap/sdap_access.c2
2 files changed, 21 insertions, 3 deletions
diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c
index 3a9b12d2..7059905c 100644
--- a/src/providers/ldap/ldap_init.c
+++ b/src/providers/ldap/ldap_init.c
@@ -208,6 +208,7 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
{
int ret;
struct sdap_access_ctx *access_ctx;
+ const char *filter;
access_ctx = talloc_zero(bectx, struct sdap_access_ctx);
if(access_ctx == NULL) {
@@ -221,9 +222,9 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
goto done;
}
- access_ctx->filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
+ filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic,
SDAP_ACCESS_FILTER);
- if (access_ctx->filter == NULL) {
+ if (filter == NULL) {
/* It's okay if this is NULL. In that case we will simply act
* like the 'deny' provider.
*/
@@ -232,9 +233,26 @@ int sssm_ldap_access_init(struct be_ctx *bectx,
"All domain users will be denied access.\n"));
}
+ if (filter[0] == '(') {
+ /* This filter is wrapped in parentheses.
+ * Pass it as-is to the openldap libraries.
+ */
+ access_ctx->filter = filter;
+ }
+ else {
+ /* Add parentheses around the filter */
+ access_ctx->filter = talloc_asprintf(access_ctx, "(%s)", filter);
+ if (access_ctx->filter == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
*ops = &sdap_access_ops;
*pvt_data = access_ctx;
+ ret = EOK;
+
done:
if (ret != EOK) {
talloc_free(access_ctx);
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index fd3deb78..8a156bc3 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -214,7 +214,7 @@ static struct tevent_req *sdap_access_send(TALLOC_CTX *mem_ctx,
/* Construct the filter */
state->filter = talloc_asprintf(
state,
- "(&(%s=%s)(objectclass=%s)(%s))",
+ "(&(%s=%s)(objectclass=%s)%s)",
state->sdap_ctx->opts->user_map[SDAP_AT_USER_NAME].name,
state->username,
state->sdap_ctx->opts->user_map[SDAP_OC_USER].name,