From caf576da562bf7bd30e74ad921c1212ec7d230bc Mon Sep 17 00:00:00 2001
From: Ondrej Kos <okos@redhat.com>
Date: Mon, 9 Sep 2013 15:51:15 +0200
Subject: IPA: Deprecate ipa_hbac_support_srchost option

This option got already deprecated on the ipa server side.
Option is undocumented and warning is printed both to the sssd log files
and syslog.

Resolves:
https://fedorahosted.org/sssd/ticket/1918
---
 src/man/sssd-ipa.5.xml             | 23 -----------------------
 src/providers/ipa/ipa_access.c     |  6 ++++++
 src/providers/ipa/ipa_hbac_hosts.c |  5 +++++
 3 files changed, 11 insertions(+), 23 deletions(-)

diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index bf148bf4..667920ed 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -281,11 +281,6 @@
                             information about configuring multiple search
                             bases.
                         </para>
-                        <para>
-                            If filter is given in any of search bases and
-                            <emphasis>ipa_hbac_support_srchost</emphasis>
-                            is set to False, the filter will be ignored.
-                        </para>
                         <para>
                             Default: the value of
                             <emphasis>ldap_search_base</emphasis>
@@ -458,24 +453,6 @@
                     </listitem>
                 </varlistentry>
 
-                <varlistentry>
-                    <term>ipa_hbac_support_srchost (boolean)</term>
-                    <listitem>
-                        <para>
-                            If this is set to false, then srchost as given
-                            to SSSD by PAM will be ignored.
-                        </para>
-                        <para>
-                            Note that if set to <emphasis>False</emphasis>,
-                            this option casuses filters given in
-                            <emphasis>ipa_host_search_base</emphasis> to be ignored;
-                        </para>
-                        <para>
-                            Default: false
-                        </para>
-                    </listitem>
-                </varlistentry>
-
                 <varlistentry>
                     <term>ipa_server_mode (boolean)</term>
                     <listitem>
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index 58539f4c..7d44788a 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -346,6 +346,12 @@ static int hbac_get_host_info_step(struct hbac_ctx *hbac_ctx)
          *    we want all hosts
          */
         hostname = NULL;
+
+        /* THIS FEATURE IS DEPRECATED */
+        DEBUG(SSSDBG_MINOR_FAILURE, ("WARNING: Using deprecated option "
+                    "ipa_hbac_support_srchost.\n"));
+        sss_log(SSS_LOG_NOTICE, "WARNING: Using deprecated option "
+                    "ipa_hbac_support_srchost.\n");
     } else {
         hostname = dp_opt_get_string(hbac_ctx->ipa_options, IPA_HOSTNAME);
     }
diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c
index 7f387c63..e85206e8 100644
--- a/src/providers/ipa/ipa_hbac_hosts.c
+++ b/src/providers/ipa/ipa_hbac_hosts.c
@@ -268,6 +268,11 @@ hbac_shost_attrs_to_rule(TALLOC_CTX *mem_ctx,
         shosts->category = HBAC_CATEGORY_ALL;
         ret = EOK;
         goto done;
+    } else {
+        DEBUG(SSSDBG_MINOR_FAILURE, ("WARNING: Using deprecated option "
+                    "ipa_hbac_support_srchost.\n"));
+        sss_log(SSS_LOG_NOTICE, "WARNING: Using deprecated option "
+                    "ipa_hbac_support_srchost.\n");
     }
 
     ret = hbac_host_attrs_to_rule(tmp_ctx, domain,
-- 
cgit