summaryrefslogtreecommitdiff
path: root/src/responder
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2011-12-12 16:35:22 +0100
committerStephen Gallagher <sgallagh@redhat.com>2011-12-16 14:46:16 -0500
commitb3b42c49656e192787a983aaa8b9ec744ba4cb9d (patch)
treec0fd6415e043835c499ecf0bf0322ab4cb187e0d /src/responder
parentdf5adbad4f5e938a000aee6527628ad63a0bd4c3 (diff)
downloadsssd-b3b42c49656e192787a983aaa8b9ec744ba4cb9d.tar.gz
sssd-b3b42c49656e192787a983aaa8b9ec744ba4cb9d.tar.bz2
sssd-b3b42c49656e192787a983aaa8b9ec744ba4cb9d.zip
Use the case sensitivity flag in responders
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/common/negcache.c135
-rw-r--r--src/responder/common/negcache.h10
-rw-r--r--src/responder/common/responder_common.c1
-rw-r--r--src/responder/nss/nsssrv_cmd.c39
-rw-r--r--src/responder/nss/nsssrv_netgroup.c21
-rw-r--r--src/responder/pam/pamsrv_cmd.c8
6 files changed, 168 insertions, 46 deletions
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 3926574a..0b25baf5 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -21,6 +21,7 @@
#include "util/util.h"
#include "confdb/confdb.h"
+#include "responder/common/responder.h"
#include <fcntl.h>
#include <time.h>
#include "tdb.h"
@@ -158,8 +159,8 @@ done:
return ret;
}
-int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl,
- const char *domain, const char *name)
+static int sss_ncache_check_user_int(struct sss_nc_ctx *ctx, int ttl,
+ const char *domain, const char *name)
{
char *str;
int ret;
@@ -175,8 +176,8 @@ int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl,
return ret;
}
-int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl,
- const char *domain, const char *name)
+static int sss_ncache_check_group_int(struct sss_nc_ctx *ctx, int ttl,
+ const char *domain, const char *name)
{
char *str;
int ret;
@@ -192,8 +193,8 @@ int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl,
return ret;
}
-int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl,
- const char *domain, const char *name)
+static int sss_ncache_check_netgr_int(struct sss_nc_ctx *ctx, int ttl,
+ const char *domain, const char *name)
{
char *str;
int ret;
@@ -209,6 +210,49 @@ int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl,
return ret;
}
+typedef int (*ncache_check_byname_fn_t)(struct sss_nc_ctx *, int,
+ const char *, const char *);
+
+static int sss_cache_check_ent(struct sss_nc_ctx *ctx, int ttl,
+ struct sss_domain_info *dom, const char *name,
+ ncache_check_byname_fn_t checker)
+{
+ char *lower;
+ errno_t ret;
+
+ if (dom->case_sensitive == false) {
+ lower = sss_tc_utf8_str_tolower(ctx, name);
+ if (!lower) return ENOMEM;
+ ret = checker(ctx, ttl, dom->name, lower);
+ talloc_free(lower);
+ } else {
+ ret = checker(ctx, ttl, dom->name, name);
+ }
+
+ return ret;
+}
+
+int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl,
+ struct sss_domain_info *dom, const char *name)
+{
+ return sss_cache_check_ent(ctx, ttl, dom, name,
+ sss_ncache_check_user_int);
+}
+
+int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl,
+ struct sss_domain_info *dom, const char *name)
+{
+ return sss_cache_check_ent(ctx, ttl, dom, name,
+ sss_ncache_check_group_int);
+}
+
+int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl,
+ struct sss_domain_info *dom, const char *name)
+{
+ return sss_cache_check_ent(ctx, ttl, dom, name,
+ sss_ncache_check_netgr_int);
+}
+
int sss_ncache_check_uid(struct sss_nc_ctx *ctx, int ttl, uid_t uid)
{
char *str;
@@ -237,8 +281,8 @@ int sss_ncache_check_gid(struct sss_nc_ctx *ctx, int ttl, gid_t gid)
return ret;
}
-int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent,
- const char *domain, const char *name)
+static int sss_ncache_set_user_int(struct sss_nc_ctx *ctx, bool permanent,
+ const char *domain, const char *name)
{
char *str;
int ret;
@@ -254,8 +298,8 @@ int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent,
return ret;
}
-int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent,
- const char *domain, const char *name)
+static int sss_ncache_set_group_int(struct sss_nc_ctx *ctx, bool permanent,
+ const char *domain, const char *name)
{
char *str;
int ret;
@@ -271,8 +315,8 @@ int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent,
return ret;
}
-int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent,
- const char *domain, const char *name)
+static int sss_ncache_set_netgr_int(struct sss_nc_ctx *ctx, bool permanent,
+ const char *domain, const char *name)
{
char *str;
int ret;
@@ -288,6 +332,47 @@ int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent,
return ret;
}
+typedef int (*ncache_set_byname_fn_t)(struct sss_nc_ctx *, bool,
+ const char *, const char *);
+
+static int sss_ncache_set_ent(struct sss_nc_ctx *ctx, bool permanent,
+ struct sss_domain_info *dom, const char *name,
+ ncache_set_byname_fn_t setter)
+{
+ char *lower;
+ errno_t ret;
+
+ if (dom->case_sensitive == false) {
+ lower = sss_tc_utf8_str_tolower(ctx, name);
+ if (!lower) return ENOMEM;
+ ret = setter(ctx, permanent, dom->name, lower);
+ talloc_free(lower);
+ } else {
+ ret = setter(ctx, permanent, dom->name, name);
+ }
+
+ return ret;
+}
+
+
+int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent,
+ struct sss_domain_info *dom, const char *name)
+{
+ return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_user_int);
+}
+
+int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent,
+ struct sss_domain_info *dom, const char *name)
+{
+ return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_group_int);
+}
+
+int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent,
+ struct sss_domain_info *dom, const char *name)
+{
+ return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_netgr_int);
+}
+
int sss_ncache_set_uid(struct sss_nc_ctx *ctx, bool permanent, uid_t uid)
{
char *str;
@@ -409,7 +494,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
- ret = sss_ncache_set_user(ncache, true, dom->name, name);
+ ret = sss_ncache_set_user(ncache, true, dom, name);
if (ret != EOK) {
DEBUG(1, ("Failed to store permanent user filter for [%s]"
" (%d [%s])\n", filter_list[i],
@@ -447,7 +532,14 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
if (domainname) {
- ret = sss_ncache_set_user(ncache, true, domainname, name);
+ dom = responder_get_domain(domain_list, domainname);
+ if (!dom) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Invalid domain name [%s]\n", domainname));
+ continue;
+ }
+
+ ret = sss_ncache_set_user(ncache, true, dom, name);
if (ret != EOK) {
DEBUG(1, ("Failed to store permanent user filter for [%s]"
" (%d [%s])\n", filter_list[i],
@@ -456,7 +548,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
} else {
for (dom = domain_list; dom; dom = dom->next) {
- ret = sss_ncache_set_user(ncache, true, dom->name, name);
+ ret = sss_ncache_set_user(ncache, true, dom, name);
if (ret != EOK) {
DEBUG(1, ("Failed to store permanent user filter for"
" [%s:%s] (%d [%s])\n",
@@ -499,7 +591,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
- ret = sss_ncache_set_group(ncache, true, dom->name, name);
+ ret = sss_ncache_set_group(ncache, true, dom, name);
if (ret != EOK) {
DEBUG(1, ("Failed to store permanent group filter for [%s]"
" (%d [%s])\n", filter_list[i],
@@ -537,7 +629,14 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
continue;
}
if (domainname) {
- ret = sss_ncache_set_group(ncache, true, domainname, name);
+ dom = responder_get_domain(domain_list, domainname);
+ if (!dom) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Invalid domain name [%s]\n", domainname));
+ continue;
+ }
+
+ ret = sss_ncache_set_group(ncache, true, dom, name);
if (ret != EOK) {
DEBUG(1, ("Failed to store permanent group filter for"
" [%s] (%d [%s])\n", filter_list[i],
@@ -546,7 +645,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
} else {
for (dom = domain_list; dom; dom = dom->next) {
- ret = sss_ncache_set_group(ncache, true, dom->name, name);
+ ret = sss_ncache_set_group(ncache, true, dom, name);
if (ret != EOK) {
DEBUG(1, ("Failed to store permanent group filter for"
" [%s:%s] (%d [%s])\n",
diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h
index fc857fce..72b99c96 100644
--- a/src/responder/common/negcache.h
+++ b/src/responder/common/negcache.h
@@ -29,9 +29,9 @@ int sss_ncache_init(TALLOC_CTX *memctx, struct sss_nc_ctx **_ctx);
/* check if the user is expired according to the passed in time to live */
int sss_ncache_check_user(struct sss_nc_ctx *ctx, int ttl,
- const char *domain, const char *name);
+ struct sss_domain_info *dom, const char *name);
int sss_ncache_check_group(struct sss_nc_ctx *ctx, int ttl,
- const char *domain, const char *name);
+ struct sss_domain_info *dom, const char *name);
int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, int ttl,
const char *domain, const char *name);
int sss_ncache_check_uid(struct sss_nc_ctx *ctx, int ttl, uid_t uid);
@@ -42,11 +42,11 @@ int sss_ncache_check_gid(struct sss_nc_ctx *ctx, int ttl, gid_t gid);
* and the negative cache never expires (used to permanently filter out
* users and groups) */
int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent,
- const char *domain, const char *name);
+ struct sss_domain_info *dom, const char *name);
int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent,
- const char *domain, const char *name);
+ struct sss_domain_info *dom, const char *name);
int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent,
- const char *domain, const char *name);
+ struct sss_domain_info *dom, const char *name);
int sss_ncache_set_uid(struct sss_nc_ctx *ctx, bool permanent, uid_t uid);
int sss_ncache_set_gid(struct sss_nc_ctx *ctx, bool permanent, gid_t gid);
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 99b1a23a..a48ac556 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -33,7 +33,6 @@
#include <errno.h>
#include <popt.h>
#include "util/util.h"
-#include "util/sss_utf8.h"
#include "db/sysdb.h"
#include "confdb/confdb.h"
#include "dbus/dbus.h"
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index f0270acd..d8eb8b21 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -394,7 +394,7 @@ static int fill_pwent(struct sss_packet *packet,
if (filter_users) {
ncret = sss_ncache_check_user(nctx->ncache,
nctx->neg_timeout,
- domain, name);
+ dom, name);
if (ncret == EEXIST) {
DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
name, domain));
@@ -715,7 +715,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct sss_domain_info *dom = dctx->domain;
struct cli_ctx *cctx = cmdctx->cctx;
- const char *name = cmdctx->name;
+ char *name = NULL;
struct sysdb_ctx *sysdb;
struct nss_ctx *nctx;
int ret;
@@ -740,10 +740,15 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
+ talloc_free(name);
+ name = dom->case_sensitive ? talloc_strdup(dctx, cmdctx->name) :
+ sss_tc_utf8_str_tolower(dctx, cmdctx->name);
+ if (!name) return ENOMEM;
+
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
- dom->name, name);
+ dom, name);
/* if neg cached, return we didn't find it */
if (ret == EEXIST) {
@@ -781,7 +786,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
if (dctx->res->count == 0 && !dctx->check_provider) {
/* set negative cache only if not result of cache check */
- ret = sss_ncache_set_user(nctx->ncache, false, dom->name, name);
+ ret = sss_ncache_set_user(nctx->ncache, false, dom, name);
if (ret != EOK) {
return ret;
}
@@ -1788,7 +1793,7 @@ static int fill_grent(struct sss_packet *packet,
if (filter_groups) {
ret = sss_ncache_check_group(nctx->ncache,
- nctx->neg_timeout, domain, name);
+ nctx->neg_timeout, dom, name);
if (ret == EEXIST) {
DEBUG(4, ("Group [%s@%s] filtered out! (negative cache)\n",
name, domain));
@@ -1866,7 +1871,7 @@ static int fill_grent(struct sss_packet *packet,
if (nctx->filter_users_in_groups) {
ret = sss_ncache_check_user(nctx->ncache,
nctx->neg_timeout,
- domain, name);
+ dom, name);
if (ret == EEXIST) {
DEBUG(6, ("Group [%s] member [%s@%s] filtered out!"
" (negative cache)\n",
@@ -2002,7 +2007,7 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx)
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct sss_domain_info *dom = dctx->domain;
struct cli_ctx *cctx = cmdctx->cctx;
- const char *name = cmdctx->name;
+ char *name = NULL;
struct sysdb_ctx *sysdb;
struct nss_ctx *nctx;
int ret;
@@ -2027,10 +2032,15 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx)
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
+ talloc_free(name);
+ name = dom->case_sensitive ? talloc_strdup(dctx, cmdctx->name) :
+ sss_tc_utf8_str_tolower(dctx, cmdctx->name);
+ if (!name) return ENOMEM;
+
/* verify this group has not yet been negatively cached,
* or has been permanently filtered */
ret = sss_ncache_check_group(nctx->ncache, nctx->neg_timeout,
- dom->name, name);
+ dom, name);
/* if neg cached, return we didn't find it */
if (ret == EEXIST) {
@@ -2068,7 +2078,7 @@ static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx)
if (dctx->res->count == 0 && !dctx->check_provider) {
/* set negative cache only if not result of cache check */
- ret = sss_ncache_set_group(nctx->ncache, false, dom->name, name);
+ ret = sss_ncache_set_group(nctx->ncache, false, dom, name);
if (ret != EOK) {
return ret;
}
@@ -3068,7 +3078,7 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct sss_domain_info *dom = dctx->domain;
struct cli_ctx *cctx = cmdctx->cctx;
- const char *name = cmdctx->name;
+ char *name = NULL;
struct sysdb_ctx *sysdb;
struct nss_ctx *nctx;
int ret;
@@ -3093,10 +3103,15 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
+ talloc_free(name);
+ name = dom->case_sensitive ? talloc_strdup(dctx, cmdctx->name) :
+ sss_tc_utf8_str_tolower(dctx, cmdctx->name);
+ if (!name) return ENOMEM;
+
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
- dom->name, name);
+ dom, name);
/* if neg cached, return we didn't find it */
if (ret == EEXIST) {
@@ -3130,7 +3145,7 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
if (dctx->res->count == 0 && !dctx->check_provider) {
/* set negative cache only if not result of cache check */
- ret = sss_ncache_set_user(nctx->ncache, false, dom->name, name);
+ ret = sss_ncache_set_user(nctx->ncache, false, dom, name);
if (ret != EOK) {
return ret;
}
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
index 09b7fa63..39ba4ff7 100644
--- a/src/responder/nss/nsssrv_netgroup.c
+++ b/src/responder/nss/nsssrv_netgroup.c
@@ -378,6 +378,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
struct sss_domain_info *dom = step_ctx->dctx->domain;
struct getent_ctx *netgr;
struct sysdb_ctx *sysdb;
+ char *name = NULL;
/* Check each domain for this netgroup name */
while (dom) {
@@ -400,8 +401,13 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
/* make sure to update the dctx if we changed domain */
step_ctx->dctx->domain = dom;
+ talloc_free(name);
+ name = dom->case_sensitive ? \
+ talloc_strdup(step_ctx, step_ctx->name) :
+ sss_tc_utf8_str_tolower(step_ctx, step_ctx->name);
+
DEBUG(4, ("Requesting info for [%s@%s]\n",
- step_ctx->name, dom->name));
+ name, dom->name));
ret = sysdb_get_ctx_from_list(step_ctx->rctx->db_list, dom, &sysdb);
if (ret != EOK) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
@@ -409,7 +415,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
}
/* Look up the netgroup in the cache */
- ret = sysdb_getnetgr(step_ctx->dctx, sysdb, step_ctx->name,
+ ret = sysdb_getnetgr(step_ctx->dctx, sysdb, name,
&step_ctx->dctx->res);
if (ret == ENOENT) {
/* This netgroup was not found in this domain */
@@ -442,7 +448,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
if (ret == ENOENT) {
/* This netgroup was not found in this domain */
DEBUG(2, ("No results for netgroup %s (domain %s)\n",
- step_ctx->name, dom->name));
+ name, dom->name));
if (!step_ctx->dctx->check_provider) {
if (step_ctx->check_next) {
@@ -469,7 +475,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
step_ctx->nctx,
step_ctx->dctx->res,
SSS_DP_NETGR,
- step_ctx->name, 0,
+ name, 0,
lookup_netgr_dp_callback,
step_ctx);
if (ret != EOK) {
@@ -482,7 +488,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
/* Results found */
DEBUG(6, ("Returning info for netgroup [%s@%s]\n",
- step_ctx->name, dom->name));
+ name, dom->name));
netgr->ready = true;
netgr->found = true;
set_netgr_lifetime(dom->entry_cache_timeout, step_ctx, netgr);
@@ -490,8 +496,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
}
/* If we've gotten here, then no domain contained this netgroup */
- DEBUG(2, ("No matching domain found for [%s], fail!\n",
- step_ctx->name));
+ DEBUG(2, ("No matching domain found for [%s], fail!\n", name));
netgr = talloc_zero(step_ctx->nctx, struct getent_ctx);
if (netgr == NULL) {
@@ -501,7 +506,7 @@ static errno_t lookup_netgr_step(struct setent_step_ctx *step_ctx)
netgr->found = false;
netgr->entries = NULL;
netgr->lookup_table = step_ctx->nctx->netgroups;
- netgr->name = talloc_strdup(netgr, step_ctx->name);
+ netgr->name = talloc_strdup(netgr, name);
if (netgr->name == NULL) {
DEBUG(1, ("talloc_strdup failed.\n"));
talloc_free(netgr);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 7ae54ac2..7c13ab11 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -787,7 +787,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
if (dom->fqnames) continue;
ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
- dom->name, pd->user);
+ dom, pd->user);
if (ncret == ENOENT) {
/* User not found in the negative cache
* Proceed with PAM actions
@@ -830,7 +830,7 @@ static int pam_check_user_search(struct pam_auth_req *preq)
{
struct sss_domain_info *dom = preq->domain;
struct cli_ctx *cctx = preq->cctx;
- const char *name = preq->pd->user;
+ char *name = NULL;
struct sysdb_ctx *sysdb;
time_t cacheExpire;
int ret;
@@ -855,6 +855,10 @@ static int pam_check_user_search(struct pam_auth_req *preq)
/* make sure to update the preq if we changed domain */
preq->domain = dom;
+ talloc_free(name);
+ name = dom->case_sensitive ? talloc_strdup(preq, preq->pd->user) :
+ sss_tc_utf8_str_tolower(preq, preq->pd->user);
+
/* Refresh the user's cache entry on any PAM query
* We put a timeout in the client context so that we limit
* the number of updates within a reasonable timeout