summaryrefslogtreecommitdiff
path: root/src/providers/ad/ad_access.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ad/ad_access.c')
-rw-r--r--src/providers/ad/ad_access.c96
1 files changed, 96 insertions, 0 deletions
diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c
new file mode 100644
index 00000000..314cdcfa
--- /dev/null
+++ b/src/providers/ad/ad_access.c
@@ -0,0 +1,96 @@
+/*
+ SSSD
+
+ Authors:
+ Stephen Gallagher <sgallagh@redhat.com>
+
+ Copyright (C) 2012 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <security/pam_modules.h>
+#include "src/util/util.h"
+#include "src/providers/data_provider.h"
+#include "src/providers/dp_backend.h"
+#include "src/providers/ad/ad_access.h"
+#include "src/providers/ldap/sdap_access.h"
+
+static void
+ad_access_done(struct tevent_req *req);
+
+void
+ad_access_handler(struct be_req *breq)
+{
+ struct tevent_req *req;
+ struct ad_access_ctx *access_ctx =
+ talloc_get_type(breq->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
+ struct ad_access_ctx);
+
+ struct pam_data *pd = talloc_get_type(breq->req_data, struct pam_data);
+
+ /* Handle subdomains */
+ if (strcasecmp(pd->domain, breq->be_ctx->domain->name) != 0) {
+ breq->domain = new_subdomain(breq, breq->be_ctx->domain, pd->domain,
+ NULL, NULL);
+ if (breq->domain == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
+ breq->fn(breq, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL);
+ return;
+ }
+ breq->sysdb = breq->domain->sysdb;
+ }
+
+ /* Verify that the account is not locked */
+ req = sdap_access_send(breq,
+ breq->be_ctx->ev,
+ breq,
+ access_ctx->sdap_access_ctx,
+ pd);
+ if (!req) {
+ breq->fn(breq, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL);
+ return;
+ }
+ tevent_req_set_callback(req, ad_access_done, breq);
+}
+
+static void
+ad_access_done(struct tevent_req *req)
+{
+ errno_t ret;
+ int pam_status;
+ struct be_req *breq =
+ tevent_req_callback_data(req, struct be_req);
+ struct pam_data *pd = talloc_get_type(breq->req_data, struct pam_data);
+
+ ret = sdap_access_recv(req, &pam_status);
+ talloc_zfree(req);
+ if (ret != EOK) {
+ breq->fn(breq, DP_ERR_FATAL, PAM_SYSTEM_ERR, strerror(ret));
+ return;
+ }
+
+ pd->pam_status = pam_status;
+
+ if (pam_status == PAM_SUCCESS || pam_status == PAM_PERM_DENIED) {
+ /* We got the proper approval or denial */
+ breq->fn(breq, DP_ERR_OK, pam_status, NULL);
+ return;
+ }
+
+ /* Something went wrong */
+ pd->pam_status = PAM_SYSTEM_ERR;
+ breq->fn(breq, DP_ERR_FATAL, pam_status, pam_strerror(NULL, pam_status));
+ return;
+}