summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-04-22 10:43:44 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-04-29 12:15:20 +0200
commitb1829e54acbc8a010aca7f14b9ffa9625f8c102c (patch)
tree7b32d5eb054c486ac89c86a1ab59fdd1a646b8f6
parentc7a4383b3b5549d0627c21bb02bd5f0bd46a3531 (diff)
downloadsssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.gz
sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.bz2
sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.zip
Make IPA SELinux provider aware of subdomain users
Fixes https://fedorahosted.org/sssd/ticket/1892
-rw-r--r--src/providers/ipa/ipa_selinux.c27
-rw-r--r--src/providers/ipa/ipa_subdomains.c14
-rw-r--r--src/providers/ipa/ipa_subdomains.h2
3 files changed, 41 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index ed44fac2..d82485e7 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -36,6 +36,7 @@
#include "providers/ipa/ipa_access.h"
#include "providers/ipa/ipa_selinux_common.h"
#include "providers/ipa/ipa_selinux_maps.h"
+#include "providers/ipa/ipa_subdomains.h"
#ifdef HAVE_SELINUX_LOGIN_DIR
@@ -94,6 +95,8 @@ void ipa_selinux_handler(struct be_req *be_req)
struct tevent_req *req;
struct pam_data *pd;
const char *hostname;
+ struct sss_domain_info *user_domain;
+ struct be_ctx *subdom_be_ctx;
pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
@@ -107,8 +110,28 @@ void ipa_selinux_handler(struct be_req *be_req)
goto fail;
}
- op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb,
- be_ctx->domain,
+ if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) {
+ subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx);
+ if (subdom_be_ctx == NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \
+ "cannot lookup domain [%s].\n",
+ pd->domain));
+ goto fail;
+ } else {
+ user_domain = find_subdomain_by_name(subdom_be_ctx->domain,
+ pd->domain, true);
+ if (user_domain == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("No domain entry found " \
+ "for [%s].\n", pd->domain));
+ goto fail;
+ }
+ }
+ } else {
+ user_domain = be_ctx->domain;
+ }
+
+ op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb,
+ user_domain,
be_req, pd->user, hostname,
selinux_ctx);
if (op_ctx == NULL) {
diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 529618bc..98fc69f1 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -79,6 +79,20 @@ struct ipa_subdomains_ctx {
time_t disabled_until;
};
+struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx)
+{
+ struct ipa_subdomains_ctx *subdom_ctx;
+
+ subdom_ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data,
+ struct ipa_subdomains_ctx);
+ if (subdom_ctx == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured.\n"));
+ return NULL;
+ }
+
+ return subdom_ctx->be_ctx;
+}
+
const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
const char *name)
{
diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h
index 35b42b41..df7f994d 100644
--- a/src/providers/ipa/ipa_subdomains.h
+++ b/src/providers/ipa/ipa_subdomains.h
@@ -28,6 +28,8 @@
#include "providers/dp_backend.h"
#include "providers/ipa/ipa_common.h"
+struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx);
+
const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx,
const char *name);