summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/ipa/ipa_access.c10
-rw-r--r--src/providers/ipa/ipa_hbac_common.c19
-rw-r--r--src/providers/ldap/sdap_access.c19
3 files changed, 32 insertions, 16 deletions
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 5c97575f..3a34864c 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -85,16 +85,6 @@ void ipa_access_handler(struct be_req *be_req)
be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
struct ipa_access_ctx);
- if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) {
- be_req->domain = new_subdomain(be_req, be_req->be_ctx->domain, pd->domain, NULL, NULL);
- if (be_req->domain == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
- be_req->fn(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL);
- return;
- }
- be_req->sysdb = be_req->domain->sysdb;
- }
-
/* First, verify that this account isn't locked.
* We need to do this in case the auth phase was
* skipped (such as during GSSAPI single-sign-on
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index 54628d80..33d1944e 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -440,6 +440,7 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain = hbac_ctx_be(hbac_ctx)->domain;
const char *rhost;
const char *thost;
+ struct sss_domain_info *user_dom;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) return ENOMEM;
@@ -452,9 +453,21 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
eval_req->request_time = time(NULL);
- /* Get user the user name and groups */
- ret = hbac_eval_user_element(eval_req, sysdb,
- pd->user, &eval_req->user);
+ /* Get user the user name and groups,
+ * take care of subdomain users as well */
+ if (strcasecmp(pd->domain, domain->name) != 0) {
+ user_dom = new_subdomain(tmp_ctx, domain, pd->domain, NULL, NULL);
+ if (user_dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = hbac_eval_user_element(eval_req, user_dom->sysdb,
+ pd->user, &eval_req->user);
+ } else {
+ ret = hbac_eval_user_element(eval_req, sysdb,
+ pd->user, &eval_req->user);
+ }
if (ret != EOK) goto done;
/* Get the PAM service and service groups */
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 88b52e26..b198e043 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -139,6 +139,7 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req;
struct ldb_result *res;
const char *attrs[] = { "*", NULL };
+ struct sss_domain_info *user_dom;
req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx);
if (req == NULL) {
@@ -162,9 +163,21 @@ sdap_access_send(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Get original user DN */
- ret = sysdb_get_user_attr(state, be_req->sysdb,
- pd->user, attrs, &res);
+ /* Get original user DN, take care of subdomain users as well */
+ if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) {
+ user_dom = new_subdomain(state, be_req->be_ctx->domain, pd->domain,
+ NULL, NULL);
+ if (user_dom == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
+ ret = ENOMEM;
+ goto done;
+ }
+ ret = sysdb_get_user_attr(state, user_dom->sysdb,
+ pd->user, attrs, &res);
+ } else {
+ ret = sysdb_get_user_attr(state, be_req->sysdb,
+ pd->user, attrs, &res);
+ }
if (ret != EOK) {
if (ret == ENOENT) {
/* If we can't find the user, return permission denied */