diff options
author | Sumit Bose <sbose@redhat.com> | 2013-04-22 10:43:44 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-04-29 12:15:20 +0200 |
commit | b1829e54acbc8a010aca7f14b9ffa9625f8c102c (patch) | |
tree | 7b32d5eb054c486ac89c86a1ab59fdd1a646b8f6 /src/providers/ipa | |
parent | c7a4383b3b5549d0627c21bb02bd5f0bd46a3531 (diff) | |
download | sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.gz sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.bz2 sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.zip |
Make IPA SELinux provider aware of subdomain users
Fixes https://fedorahosted.org/sssd/ticket/1892
Diffstat (limited to 'src/providers/ipa')
-rw-r--r-- | src/providers/ipa/ipa_selinux.c | 27 | ||||
-rw-r--r-- | src/providers/ipa/ipa_subdomains.c | 14 | ||||
-rw-r--r-- | src/providers/ipa/ipa_subdomains.h | 2 |
3 files changed, 41 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index ed44fac2..d82485e7 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -36,6 +36,7 @@ #include "providers/ipa/ipa_access.h" #include "providers/ipa/ipa_selinux_common.h" #include "providers/ipa/ipa_selinux_maps.h" +#include "providers/ipa/ipa_subdomains.h" #ifdef HAVE_SELINUX_LOGIN_DIR @@ -94,6 +95,8 @@ void ipa_selinux_handler(struct be_req *be_req) struct tevent_req *req; struct pam_data *pd; const char *hostname; + struct sss_domain_info *user_domain; + struct be_ctx *subdom_be_ctx; pd = talloc_get_type(be_req_get_data(be_req), struct pam_data); @@ -107,8 +110,28 @@ void ipa_selinux_handler(struct be_req *be_req) goto fail; } - op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb, - be_ctx->domain, + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx); + if (subdom_be_ctx == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \ + "cannot lookup domain [%s].\n", + pd->domain)); + goto fail; + } else { + user_domain = find_subdomain_by_name(subdom_be_ctx->domain, + pd->domain, true); + if (user_domain == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, ("No domain entry found " \ + "for [%s].\n", pd->domain)); + goto fail; + } + } + } else { + user_domain = be_ctx->domain; + } + + op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb, + user_domain, be_req, pd->user, hostname, selinux_ctx); if (op_ctx == NULL) { diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 529618bc..98fc69f1 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -79,6 +79,20 @@ struct ipa_subdomains_ctx { time_t disabled_until; }; +struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx) +{ + struct ipa_subdomains_ctx *subdom_ctx; + + subdom_ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data, + struct ipa_subdomains_ctx); + if (subdom_ctx == NULL) { + DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured.\n")); + return NULL; + } + + return subdom_ctx->be_ctx; +} + const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx, const char *name) { diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 35b42b41..df7f994d 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -28,6 +28,8 @@ #include "providers/dp_backend.h" #include "providers/ipa/ipa_common.h" +struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx); + const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx, const char *name); |