summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-04-11 09:18:56 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-04-15 14:56:45 +0200
commit8e195a545d41647e591c1d06082133cbd25dc0a4 (patch)
tree6b04cd814d97b677db67c35f77ed1a487a7096b3 /src/providers
parenteeee8d4e089830d337f217ec4921421ab448a8ec (diff)
downloadsssd-8e195a545d41647e591c1d06082133cbd25dc0a4.tar.gz
sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.tar.bz2
sssd-8e195a545d41647e591c1d06082133cbd25dc0a4.zip
Fix simple access group control in case-insensitive domains
https://fedorahosted.org/sssd/ticket/1713 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case.
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/simple/simple_access_check.c25
1 files changed, 9 insertions, 16 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index 6475e773..663b7cea 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -90,8 +90,8 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
}
static errno_t
-simple_check_groups(struct simple_ctx *ctx, const char *username,
- const char **group_names, bool *access_granted)
+simple_check_groups(struct simple_ctx *ctx, const char **group_names,
+ bool *access_granted)
{
bool matched;
int i, j;
@@ -357,7 +357,6 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
struct ldb_message **groups;
int i;
gid_t gid;
- char *cname;
req = tevent_req_create(mem_ctx, &state,
struct simple_check_groups_state);
@@ -366,18 +365,12 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->ctx = ctx;
- cname = sss_get_cased_name(state, username, ctx->domain->case_sensitive);
- if (!cname) {
- ret = ENOMEM;
- goto done;
- }
-
- DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", cname));
+ DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", username));
ret = sysdb_search_user_by_name(state, ctx->domain->sysdb, ctx->domain,
- cname, attrs, &user);
+ username, attrs, &user);
if (ret == ENOENT) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", cname));
+ DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", username));
goto done;
} else if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -395,7 +388,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC,
("User %s is a member of %d supplemental groups\n",
- cname, group_count));
+ username, group_count));
/* One extra space for terminator, one extra space for private group */
state->group_names = talloc_zero_array(state, const char *, group_count + 2);
@@ -421,7 +414,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx,
gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);
if (!gid) {
- DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", cname));
+ DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", username));
ret = EINVAL;
goto done;
}
@@ -696,8 +689,8 @@ static void simple_access_check_done(struct tevent_req *subreq)
return;
}
- ret = simple_check_groups(state->ctx, state->username,
- state->group_names, &state->access_granted);
+ ret = simple_check_groups(state->ctx, state->group_names,
+ &state->access_granted);
if (ret != EOK) {
tevent_req_error(req, ret);
return;