From 35480afaefafb77b28d35b29039989ab888aafe9 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 6 May 2010 10:09:41 -0400 Subject: Add ldap_access_filter option This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com --- src/providers/ldap/ldap_init.c | 56 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) (limited to 'src/providers/ldap/ldap_init.c') diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c index df2956ec..5c6f4b79 100644 --- a/src/providers/ldap/ldap_init.c +++ b/src/providers/ldap/ldap_init.c @@ -25,6 +25,7 @@ #include "providers/child_common.h" #include "providers/ldap/ldap_common.h" #include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/sdap_access.h" static void sdap_shutdown(struct be_req *req); @@ -46,6 +47,12 @@ struct bet_ops sdap_chpass_ops = { .finalize = sdap_shutdown }; +/* Access Handler */ +struct bet_ops sdap_access_ops = { + .handler = sdap_pam_access_handler, + .finalize = sdap_shutdown +}; + int sssm_ldap_id_init(struct be_ctx *bectx, struct bet_ops **ops, void **pvt_data) @@ -55,6 +62,15 @@ int sssm_ldap_id_init(struct be_ctx *bectx, const char *dns_service_name; int ret; + /* If we're already set up, just return that */ + if(bectx->bet_info[BET_ID].mod_name && + strcmp("LDAP", bectx->bet_info[BET_ID].mod_name)) { + DEBUG(8, ("Re-using sdap_id_ctx for this provider\n")); + *ops = bectx->bet_info[BET_ID].bet_ops; + *pvt_data = bectx->bet_info[BET_ID].pvt_bet_data; + return EOK; + } + ctx = talloc_zero(bectx, struct sdap_id_ctx); if (!ctx) return ENOMEM; @@ -186,6 +202,46 @@ int sssm_ldap_chpass_init(struct be_ctx *bectx, return ret; } +int sssm_ldap_access_init(struct be_ctx *bectx, + struct bet_ops **ops, + void **pvt_data) +{ + int ret; + struct sdap_access_ctx *access_ctx; + + access_ctx = talloc_zero(bectx, struct sdap_access_ctx); + if(access_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sssm_ldap_id_init(bectx, ops, (void **)&access_ctx->id_ctx); + if (ret != EOK) { + DEBUG(1, ("sssm_ldap_id_init failed.\n")); + goto done; + } + + access_ctx->filter = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, + SDAP_ACCESS_FILTER); + if (access_ctx->filter == NULL) { + /* It's okay if this is NULL. In that case we will simply act + * like the 'deny' provider. + */ + DEBUG(0, ("Warning: access_provider=ldap set, " + "but no ldap_access_filter configured. " + "All domain users will be denied access.\n")); + } + + *ops = &sdap_access_ops; + *pvt_data = access_ctx; + +done: + if (ret != EOK) { + talloc_free(access_ctx); + } + return ret; +} + static void sdap_shutdown(struct be_req *req) { /* TODO: Clean up any internal data */ -- cgit