diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2013-02-23 10:44:54 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-03-19 21:47:30 +0100 |
| commit | c0bca1722d6f9dfb654ad78397be70f79ff39af1 (patch) | |
| tree | 04a479b7191cca127e632a738a48c4182a39cae3 /src/providers/simple/simple_access.c | |
| parent | 6569d57e3bc168e6e83d70333b48c5cb43aa04c4 (diff) | |
| download | sssd-c0bca1722d6f9dfb654ad78397be70f79ff39af1.tar.gz sssd-c0bca1722d6f9dfb654ad78397be70f79ff39af1.tar.bz2 sssd-c0bca1722d6f9dfb654ad78397be70f79ff39af1.zip | |
Resolve GIDs in the simple access provider
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
Diffstat (limited to 'src/providers/simple/simple_access.c')
| -rw-r--r-- | src/providers/simple/simple_access.c | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c index 3dcea869..e617e93d 100644 --- a/src/providers/simple/simple_access.c +++ b/src/providers/simple/simple_access.c @@ -32,12 +32,13 @@ #define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups" #define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups" +static void simple_access_check(struct tevent_req *req); + void simple_access_handler(struct be_req *be_req) { struct be_ctx *be_ctx = be_req_get_be_ctx(be_req); - int ret; - bool access_granted = false; struct pam_data *pd; + struct tevent_req *req; struct simple_ctx *ctx; pd = talloc_get_type(be_req_get_data(be_req), struct pam_data); @@ -53,7 +54,30 @@ void simple_access_handler(struct be_req *be_req) ctx = talloc_get_type(be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct simple_ctx); - ret = simple_access_check(ctx, pd->user, &access_granted); + req = simple_access_check_send(be_req, be_ctx->ev, ctx, pd->user); + if (!req) { + pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + tevent_req_set_callback(req, simple_access_check, be_req); + return; + +done: + be_req_terminate(be_req, DP_ERR_OK, pd->pam_status, NULL); +} + +static void simple_access_check(struct tevent_req *req) +{ + bool access_granted = false; + errno_t ret; + struct pam_data *pd; + struct be_req *be_req; + + be_req = tevent_req_callback_data(req, struct be_req); + pd = talloc_get_type(be_req_get_data(be_req), struct pam_data); + + ret = simple_access_check_recv(req, &access_granted); + talloc_free(req); if (ret != EOK) { pd->pam_status = PAM_SYSTEM_ERR; goto done; @@ -87,6 +111,7 @@ int sssm_simple_access_init(struct be_ctx *bectx, struct bet_ops **ops, } ctx->domain = bectx->domain; + ctx->be_ctx = bectx; /* Users */ ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path, |