diff options
-rw-r--r-- | src/providers/ipa/ipa_access.c | 10 | ||||
-rw-r--r-- | src/providers/ipa/ipa_hbac_common.c | 19 | ||||
-rw-r--r-- | src/providers/ldap/sdap_access.c | 19 |
3 files changed, 32 insertions, 16 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 5c97575f..3a34864c 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -85,16 +85,6 @@ void ipa_access_handler(struct be_req *be_req) be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct ipa_access_ctx); - if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) { - be_req->domain = new_subdomain(be_req, be_req->be_ctx->domain, pd->domain, NULL, NULL); - if (be_req->domain == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n")); - be_req->fn(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL); - return; - } - be_req->sysdb = be_req->domain->sysdb; - } - /* First, verify that this account isn't locked. * We need to do this in case the auth phase was * skipped (such as during GSSAPI single-sign-on diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c index 54628d80..33d1944e 100644 --- a/src/providers/ipa/ipa_hbac_common.c +++ b/src/providers/ipa/ipa_hbac_common.c @@ -440,6 +440,7 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain = hbac_ctx_be(hbac_ctx)->domain; const char *rhost; const char *thost; + struct sss_domain_info *user_dom; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) return ENOMEM; @@ -452,9 +453,21 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx, eval_req->request_time = time(NULL); - /* Get user the user name and groups */ - ret = hbac_eval_user_element(eval_req, sysdb, - pd->user, &eval_req->user); + /* Get user the user name and groups, + * take care of subdomain users as well */ + if (strcasecmp(pd->domain, domain->name) != 0) { + user_dom = new_subdomain(tmp_ctx, domain, pd->domain, NULL, NULL); + if (user_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n")); + ret = ENOMEM; + goto done; + } + ret = hbac_eval_user_element(eval_req, user_dom->sysdb, + pd->user, &eval_req->user); + } else { + ret = hbac_eval_user_element(eval_req, sysdb, + pd->user, &eval_req->user); + } if (ret != EOK) goto done; /* Get the PAM service and service groups */ diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c index 88b52e26..b198e043 100644 --- a/src/providers/ldap/sdap_access.c +++ b/src/providers/ldap/sdap_access.c @@ -139,6 +139,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx, struct tevent_req *req; struct ldb_result *res; const char *attrs[] = { "*", NULL }; + struct sss_domain_info *user_dom; req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx); if (req == NULL) { @@ -162,9 +163,21 @@ sdap_access_send(TALLOC_CTX *mem_ctx, goto done; } - /* Get original user DN */ - ret = sysdb_get_user_attr(state, be_req->sysdb, - pd->user, attrs, &res); + /* Get original user DN, take care of subdomain users as well */ + if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) { + user_dom = new_subdomain(state, be_req->be_ctx->domain, pd->domain, + NULL, NULL); + if (user_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n")); + ret = ENOMEM; + goto done; + } + ret = sysdb_get_user_attr(state, user_dom->sysdb, + pd->user, attrs, &res); + } else { + ret = sysdb_get_user_attr(state, be_req->sysdb, + pd->user, attrs, &res); + } if (ret != EOK) { if (ret == ENOENT) { /* If we can't find the user, return permission denied */ |