diff options
author | Sumit Bose <sbose@redhat.com> | 2009-08-21 12:08:31 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2009-08-21 12:55:42 -0400 |
commit | 9a5ad27a1d083a1859344d9e7f5ddcecc1b0178c (patch) | |
tree | 3282a8d129a7efcdcabced7c9b16c4d2946ec75d /server/providers | |
parent | 77167b0d659b60795a6c0ad2c8aa8fa01aa1dd70 (diff) | |
download | sssd-9a5ad27a1d083a1859344d9e7f5ddcecc1b0178c.tar.gz sssd-9a5ad27a1d083a1859344d9e7f5ddcecc1b0178c.tar.bz2 sssd-9a5ad27a1d083a1859344d9e7f5ddcecc1b0178c.zip |
use stored upn if available
If a user principle name (upn) can be found in sysdb the krb5
backend will use this otherwise is build as username@realm. It is
checked that the realm is upper case only.
Diffstat (limited to 'server/providers')
-rw-r--r-- | server/providers/krb5/krb5_auth.c | 121 |
1 files changed, 101 insertions, 20 deletions
diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index ffbfd7b2..45bbe4cb 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -31,6 +31,7 @@ #include <unistd.h> #include <fcntl.h> #include <pwd.h> +#include <ctype.h> #include <security/pam_modules.h> @@ -40,6 +41,25 @@ #include "krb5_plugin/sssd_krb5_locator_plugin.h" #include "providers/krb5/krb5_auth.h" +#define REALM_SEPARATOR '@' + +static void make_realm_upper_case(const char *upn) +{ + char *c; + + c = strchr(upn, REALM_SEPARATOR); + if (c == NULL) { + DEBUG(9, ("No realm delimiter found in upn [%s].\n", upn)); + return; + } + + while(*(++c) != '\0') { + c[0] = toupper(*c); + } + + return; +} + static void fd_nonblocking(int fd) { int flags; @@ -77,13 +97,13 @@ static void krb5_cleanup(struct krb5_req *kr) talloc_free(kr); } -static int krb5_setup(struct be_req *req, struct krb5_req **krb5_req) +static int krb5_setup(struct be_req *req, const char *user_princ_str, + struct krb5_req **krb5_req) { struct krb5_req *kr = NULL; struct krb5_ctx *krb5_ctx; struct pam_data *pd; krb5_error_code kerr = 0; - char *user_princ_str = NULL; pd = talloc_get_type(req->req_data, struct pam_data); @@ -105,18 +125,6 @@ static int krb5_setup(struct be_req *req, struct krb5_req **krb5_req) goto failed; } -/* TODO: try to read user principal from id backend, use user + realm as a - fallback */ - if (kr->pd->user != NULL && krb5_ctx->realm != NULL) { - user_princ_str = talloc_asprintf(kr, "%s@%s", kr->pd->user, - krb5_ctx->realm); - } - if (user_princ_str == NULL) { - DEBUG(1, ("talloc_asprintf failed.\n")); - kerr = ENOMEM; - goto failed; - } - kerr = krb5_parse_name(kr->ctx, user_princ_str, &kr->princ); if (kerr != 0) { KRB5_DEBUG(1, kerr); @@ -374,16 +382,16 @@ static ssize_t tgt_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, return state->len; } +static void get_user_upn_done(void *pvt, int err, struct ldb_result *res); static void krb5_pam_handler_done(struct tevent_req *req); static void krb5_pam_handler_cache_done(struct tevent_req *treq); static void krb5_pam_handler(struct be_req *be_req) { - struct krb5_req *kr = NULL; - struct tevent_req *req; int ret; struct pam_data *pd; int pam_status=PAM_SYSTEM_ERR; + const char **attrs; pd = talloc_get_type(be_req->req_data, struct pam_data); @@ -393,22 +401,95 @@ static void krb5_pam_handler(struct be_req *be_req) goto done; } - ret = krb5_setup(be_req, &kr); + attrs = talloc_array(be_req, const char *, 2); + if (attrs == NULL) { + goto done; + } + + attrs[0] = SYSDB_UPN; + attrs[1] = NULL; + + ret = sysdb_get_user_attr(be_req, be_req->be_ctx->sysdb, + be_req->be_ctx->domain, pd->user, attrs, + get_user_upn_done, be_req); + + if (ret) { + goto done; + } + + return; + +done: + pd->pam_status = pam_status; + + be_req->fn(be_req, pam_status, NULL); +} + +static void get_user_upn_done(void *pvt, int err, struct ldb_result *res) +{ + struct be_req *be_req = talloc_get_type(pvt, struct be_req); + struct krb5_ctx *krb5_ctx; + struct krb5_req *kr = NULL; + struct tevent_req *req; + int ret; + struct pam_data *pd; + int pam_status=PAM_SYSTEM_ERR; + const char *upn = NULL; + + pd = talloc_get_type(be_req->req_data, struct pam_data); + krb5_ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_AUTH].pvt_bet_data, + struct krb5_ctx); + + if (err != LDB_SUCCESS) { + DEBUG(5, ("sysdb search for upn of user [%s] failed.\n", pd->user)); + goto failed; + } + + switch (res->count) { + case 0: + DEBUG(5, ("No upn for user [%s] found.\n", pd->user)); + break; + + case 1: + upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); + if (upn == NULL) { + /* NOTE: this is a hack, works only in some environments */ + if (krb5_ctx->realm != NULL) { + upn = talloc_asprintf(be_req, "%s@%s", pd->user, + krb5_ctx->realm); + } + } + break; + + default: + DEBUG(1, ("A user search by name (%s) returned > 1 results!\n", + pd->user)); + break; + } + + if (upn == NULL) { + DEBUG(1, ("Cannot set UPN.\n")); + goto failed; + } + + make_realm_upper_case(upn); + + ret = krb5_setup(be_req, upn, &kr); if (ret != EOK) { DEBUG(1, ("krb5_setup failed.\n")); - goto done; + goto failed; } req = tgt_req_send(be_req, be_req->be_ctx->ev, kr); if (req == NULL) { DEBUG(1, ("tgt_req_send failed.\n")); - goto done; + goto failed; } tevent_req_set_callback(req, krb5_pam_handler_done, kr); return; -done: +failed: krb5_cleanup(kr); pd->pam_status = pam_status; |