From a4cce2c98eedecb5d3b47da62104634cae268434 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 2 Jul 2012 10:34:52 -0400
Subject: AD: Add AD access-control provider

This patch adds support for checking whether a user is expired or
disabled in AD.
---
 src/providers/ad/ad_init.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)

(limited to 'src/providers/ad/ad_init.c')

diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c
index 89101a5b..6baae0ce 100644
--- a/src/providers/ad/ad_init.c
+++ b/src/providers/ad/ad_init.c
@@ -28,7 +28,9 @@
 
 #include "util/util.h"
 #include "providers/ad/ad_common.h"
+#include "providers/ad/ad_access.h"
 #include "providers/ldap/ldap_common.h"
+#include "providers/ldap/sdap_access.h"
 #include "providers/ldap/sdap_idmap.h"
 #include "providers/krb5/krb5_auth.h"
 #include "providers/krb5/krb5_init_shared.h"
@@ -55,6 +57,11 @@ struct bet_ops ad_chpass_ops = {
     .finalize = NULL
 };
 
+struct bet_ops ad_access_ops = {
+    .handler = ad_access_handler,
+    .finalize = NULL
+};
+
 static errno_t
 common_ad_init(struct be_ctx *bectx)
 {
@@ -261,6 +268,55 @@ sssm_ad_chpass_init(struct be_ctx *bectx,
     return ret;
 }
 
+int
+sssm_ad_access_init(struct be_ctx *bectx,
+                    struct bet_ops **ops,
+                    void **pvt_data)
+{
+    errno_t ret;
+    struct ad_access_ctx *access_ctx;
+    struct ad_id_ctx *ad_id_ctx;
+
+    access_ctx = talloc_zero(bectx, struct ad_access_ctx);
+    if (!access_ctx) return ENOMEM;
+
+    ret = sssm_ad_id_init(bectx, ops, (void **)&ad_id_ctx);
+    if (ret != EOK) {
+        goto fail;
+    }
+    access_ctx->sdap_ctx = ad_id_ctx->sdap_id_ctx;
+
+    ret = dp_copy_options(access_ctx, ad_options->basic, AD_OPTS_BASIC,
+                          &access_ctx->ad_options);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              ("Could not initialize access provider options: [%s]\n",
+               strerror(ret)));
+        goto fail;
+    }
+
+    /* Set up an sdap_access_ctx for checking expired/locked accounts */
+    access_ctx->sdap_access_ctx =
+            talloc_zero(access_ctx, struct sdap_access_ctx);
+    if (!access_ctx->sdap_access_ctx) {
+        ret = ENOMEM;
+        goto fail;
+    }
+
+    access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx;
+    access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE;
+    access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY;
+
+    *ops = &ad_access_ops;
+    *pvt_data = access_ctx;
+
+    return EOK;
+
+fail:
+    talloc_free(access_ctx);
+    return ret;
+}
+
 static void
 ad_shutdown(struct be_req *req)
 {
-- 
cgit