From beaaf02fe968b216d0633c92592a1fd9daad30ec Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 25 Mar 2010 16:21:12 +0100 Subject: Fix LDAP search paths for IPA HBAC - use domain_to_basedn() to construct LDAP search paths for IPA HBAC - move domain_to_basedn() to a separate file to simplify the build of a test --- src/Makefile.am | 3 +++ src/providers/ipa/ipa_access.c | 35 +++++++++++++++----------- src/providers/ipa/ipa_access.h | 1 + src/providers/ipa/ipa_common.c | 27 -------------------- src/providers/ipa/ipa_common.h | 4 ++- src/providers/ipa/ipa_utils.c | 57 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 84 insertions(+), 43 deletions(-) create mode 100644 src/providers/ipa/ipa_utils.c diff --git a/src/Makefile.am b/src/Makefile.am index 6d46cdab..3a156cb5 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -631,12 +631,14 @@ auth_tests_LDADD = \ libsss_test_common.la ipa_ldap_opt_tests_SOURCES = \ + providers/ipa/ipa_utils.c \ tests/ipa_ldap_opt-tests.c ipa_ldap_opt_tests_CFLAGS = \ $(AM_CFLAGS) \ $(CHECK_CFLAGS) ipa_ldap_opt_tests_LDADD = \ $(CHECK_LIBS) \ + $(TALLOC_LIBS) \ libsss_test_common.la simple_access_tests_SOURCES = \ @@ -769,6 +771,7 @@ libsss_ipa_la_SOURCES = \ providers/child_common.c \ providers/ipa/ipa_init.c \ providers/ipa/ipa_common.c \ + providers/ipa/ipa_utils.c \ providers/ipa/ipa_auth.c \ providers/ipa/ipa_access.c \ providers/ipa/ipa_timerules.c \ diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 7dfe1fd9..55a7133c 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -48,8 +48,8 @@ #define IPA_HOST_CATEGORY "hostCategory" #define IPA_CN "cn" -#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,dc=%s" -#define IPA_HBAC_BASE_TMPL "cn=hbac,dc=%s" +#define IPA_HOST_BASE_TMPL "cn=computers,cn=accounts,%s" +#define IPA_HBAC_BASE_TMPL "cn=hbac,%s" #define SYSDB_HBAC_BASE_TMPL "cn=hbac,"SYSDB_TMPL_CUSTOM_BASE @@ -340,7 +340,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx, bool offline, struct sdap_id_ctx *sdap_ctx, struct sysdb_ctx *sysdb, - const char *ipa_domain, + const char *basedn, const char **hostnames) { struct tevent_req *req = NULL; @@ -349,7 +349,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx, int ret; int i; - if (hostnames == NULL || ipa_domain == NULL) { + if (hostnames == NULL || basedn == NULL) { DEBUG(1, ("Missing hostnames or domain.\n")); return NULL; } @@ -394,7 +394,7 @@ static struct tevent_req *hbac_get_host_info_send(TALLOC_CTX *memctx, } state->host_search_base = talloc_asprintf(state, IPA_HOST_BASE_TMPL, - ipa_domain); + basedn); if (state->host_search_base == NULL) { DEBUG(1, ("Failed to create host search base.\n")); ret = ENOMEM; @@ -832,7 +832,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx, bool offline, struct sdap_id_ctx *sdap_ctx, struct sysdb_ctx *sysdb, - const char *ipa_domain, + const char *basedn, const char *host_dn, const char **memberof) { @@ -842,7 +842,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx, int ret; int i; - if (host_dn == NULL || ipa_domain == NULL) { + if (host_dn == NULL || basedn == NULL) { DEBUG(1, ("Missing host_dn or domain.\n")); return NULL; } @@ -867,7 +867,7 @@ static struct tevent_req *hbac_get_rules_send(TALLOC_CTX *memctx, state->current_item = 0; state->hbac_search_base = talloc_asprintf(state, IPA_HBAC_BASE_TMPL, - ipa_domain); + basedn); if (state->hbac_search_base == NULL) { DEBUG(1, ("Failed to create HBAC search base.\n")); ret = ENOMEM; @@ -1642,6 +1642,7 @@ void ipa_access_handler(struct be_req *be_req) int pam_status = PAM_SYSTEM_ERR; struct ipa_access_ctx *ipa_access_ctx; const char *hostlist[3]; + int ret; pd = talloc_get_type(be_req->req_data, struct pam_data); @@ -1658,6 +1659,13 @@ void ipa_access_handler(struct be_req *be_req) hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; + ret = domain_to_basedn(hbac_ctx, + dp_opt_get_string(hbac_ctx->ipa_options, IPA_DOMAIN), + &hbac_ctx->ldap_basedn); + if (ret != EOK) { + DEBUG(1, ("domain_to_basedn failed.\n")); + goto fail; + } hbac_ctx->offline = be_is_offline(be_req->be_ctx); DEBUG(9, ("Connection status is [%s].\n", hbac_ctx->offline ? "offline" : @@ -1682,10 +1690,8 @@ void ipa_access_handler(struct be_req *be_req) hostlist[2] = NULL; req = hbac_get_host_info_send(hbac_ctx, be_req->be_ctx->ev, - hbac_ctx->offline, - hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb, - dp_opt_get_string(hbac_ctx->ipa_options, - IPA_DOMAIN), + hbac_ctx->offline, hbac_ctx->sdap_ctx, + be_req->be_ctx->sysdb, hbac_ctx->ldap_basedn, hostlist); if (req == NULL) { DEBUG(1, ("hbac_get_host_info_send failed.\n")); @@ -1744,9 +1750,8 @@ static void hbac_get_host_info_done(struct tevent_req *req) } req = hbac_get_rules_send(hbac_ctx, be_req->be_ctx->ev, hbac_ctx->offline, hbac_ctx->sdap_ctx, be_req->be_ctx->sysdb, - dp_opt_get_string(hbac_ctx->ipa_options, - IPA_DOMAIN), - local_hhi->dn, local_hhi->memberof); + hbac_ctx->ldap_basedn, local_hhi->dn, + local_hhi->memberof); if (req == NULL) { DEBUG(1, ("hbac_get_rules_send failed.\n")); goto fail; diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h index bd221c57..e3ba5c30 100644 --- a/src/providers/ipa/ipa_access.h +++ b/src/providers/ipa/ipa_access.h @@ -59,6 +59,7 @@ struct hbac_ctx { size_t groups_count; const char **groups; bool offline; + char *ldap_basedn; }; void ipa_access_handler(struct be_req *be_req); diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 2ad63d05..bed0666b 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -123,33 +123,6 @@ struct dp_option ipa_def_krb5_opts[] = { { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING } }; -int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn) -{ - const char *s; - char *dn; - char *p; - int l; - - s = domain; - dn = talloc_strdup(memctx, "dc="); - - while ((p = strchr(s, '.'))) { - l = p - s; - dn = talloc_asprintf_append_buffer(dn, "%.*s,dc=", l, s); - if (!dn) { - return ENOMEM; - } - s = p + 1; - } - dn = talloc_strdup_append_buffer(dn, s); - if (!dn) { - return ENOMEM; - } - - *basedn = dn; - return EOK; -} - int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 54da6c8a..77628189 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -32,7 +32,7 @@ struct ipa_service { struct krb5_service *krb5_service; }; -/* the following define is used to keep track of the options in the ldap +/* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ #define IPA_OPTS_BASIC_TEST 32 @@ -64,6 +64,8 @@ struct ipa_options { struct krb5_ctx *auth_ctx; }; +int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn); + /* options parsers */ int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, diff --git a/src/providers/ipa/ipa_utils.c b/src/providers/ipa/ipa_utils.c new file mode 100644 index 00000000..504a8772 --- /dev/null +++ b/src/providers/ipa/ipa_utils.c @@ -0,0 +1,57 @@ +/* + SSSD + + IPA Provider Utility Functions + + Authors: + Simo Sorce , Sumit Bose + + Copyright (C) 2009-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include "providers/ipa/ipa_common.h" + +int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn) +{ + const char *s; + char *dn; + char *p; + int l; + + if (!domain || !basedn) { + return EINVAL; + } + + s = domain; + dn = talloc_strdup(memctx, "dc="); + + while ((p = strchr(s, '.'))) { + l = p - s; + dn = talloc_asprintf_append_buffer(dn, "%.*s,dc=", l, s); + if (!dn) { + return ENOMEM; + } + s = p + 1; + } + dn = talloc_strdup_append_buffer(dn, s); + if (!dn) { + return ENOMEM; + } + + *basedn = dn; + return EOK; +} -- cgit