|
 |
b2d430 |
From 0274cb7aa22e388e46580b288a7dd957ad955e04 Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
b2d430 |
Date: Fri, 22 Jul 2016 20:10:42 +0200
|
|
|
b2d430 |
Subject: [PATCH 62/62] SDAP: add enterprise principal strings for user
|
|
|
b2d430 |
searches
|
|
|
b2d430 |
|
|
|
b2d430 |
Unfortunately principal aliases with an alternative realm are stored in
|
|
|
b2d430 |
IPA as the string representation of an enterprise principal, i.e.
|
|
|
b2d430 |
name\@alt.realm@IPA.REALM. To be able to lookup the alternative
|
|
|
b2d430 |
principal in LDAP properly the UPN search filter is extended to search
|
|
|
b2d430 |
for this type of name as well.
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
(cherry picked from commit 50a7a92f92e1584702bf25e61a50cb1c09c7e260)
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/providers/ldap/ldap_common.h | 5 +++++
|
|
|
b2d430 |
src/providers/ldap/ldap_id.c | 10 +++++++--
|
|
|
b2d430 |
src/providers/ldap/sdap_async_initgroups.c | 9 ++++++--
|
|
|
b2d430 |
src/providers/ldap/sdap_utils.c | 28 ++++++++++++++++++++++++
|
|
|
b2d430 |
src/tests/cmocka/test_nested_groups.c | 34 ++++++++++++++++++++++++++++++
|
|
|
b2d430 |
5 files changed, 82 insertions(+), 4 deletions(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
|
|
|
b2d430 |
index b39f6789275cf49dd69068ae3de0628b582e4cc5..acdcf47cc5992609cdbf73e4ed9655eade55e214 100644
|
|
|
b2d430 |
--- a/src/providers/ldap/ldap_common.h
|
|
|
b2d430 |
+++ b/src/providers/ldap/ldap_common.h
|
|
|
b2d430 |
@@ -300,6 +300,11 @@ char *sdap_combine_filters(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
const char *base_filter,
|
|
|
b2d430 |
const char *extra_filter);
|
|
|
b2d430 |
|
|
|
b2d430 |
+char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
+ const char *attr_name,
|
|
|
b2d430 |
+ const char *princ,
|
|
|
b2d430 |
+ struct dp_option *sdap_basic_opts);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
const char *base_filter);
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
|
|
|
b2d430 |
index 5b303ddbd46fd44646cdd50856c784640426ee25..beb31fba16be76ba2ac01f99b87ee6362704f417 100644
|
|
|
b2d430 |
--- a/src/providers/ldap/ldap_id.c
|
|
|
b2d430 |
+++ b/src/providers/ldap/ldap_id.c
|
|
|
b2d430 |
@@ -89,6 +89,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
b2d430 |
enum idmap_error_code err;
|
|
|
b2d430 |
char *sid;
|
|
|
b2d430 |
char *user_filter = NULL;
|
|
|
b2d430 |
+ char *ep_filter;
|
|
|
b2d430 |
|
|
|
b2d430 |
req = tevent_req_create(memctx, &state, struct users_get_state);
|
|
|
b2d430 |
if (!req) return NULL;
|
|
|
b2d430 |
@@ -131,12 +132,17 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
|
|
|
b2d430 |
if (ret != EOK) {
|
|
|
b2d430 |
goto done;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ep_filter = get_enterprise_principal_string_filter(state,
|
|
|
b2d430 |
+ ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
|
|
|
b2d430 |
+ clean_value, ctx->opts->basic);
|
|
|
b2d430 |
/* TODO: Do we have to check the attribute names more carefully? */
|
|
|
b2d430 |
- user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s))",
|
|
|
b2d430 |
+ user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s)%s)",
|
|
|
b2d430 |
ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
|
|
|
b2d430 |
clean_value,
|
|
|
b2d430 |
ctx->opts->user_map[SDAP_AT_USER_EMAIL].name,
|
|
|
b2d430 |
- clean_value);
|
|
|
b2d430 |
+ clean_value,
|
|
|
b2d430 |
+ ep_filter == NULL ? "" : ep_filter);
|
|
|
b2d430 |
talloc_zfree(clean_value);
|
|
|
b2d430 |
if (user_filter == NULL) {
|
|
|
b2d430 |
DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
|
|
|
b2d430 |
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
|
|
b2d430 |
index 0a42b18662a8fe12cf048aadfef257b5d9cb48a3..7029427724cc37a4508e11ef5448b421e94dc787 100644
|
|
|
b2d430 |
--- a/src/providers/ldap/sdap_async_initgroups.c
|
|
|
b2d430 |
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
|
|
b2d430 |
@@ -2682,7 +2682,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
|
b2d430 |
int ret;
|
|
|
b2d430 |
char *clean_name;
|
|
|
b2d430 |
bool use_id_mapping;
|
|
|
b2d430 |
- const char *search_attr;
|
|
|
b2d430 |
+ const char *search_attr = NULL;
|
|
|
b2d430 |
+ char *ep_filter;
|
|
|
b2d430 |
|
|
|
b2d430 |
DEBUG(SSSDBG_TRACE_ALL, "Retrieving info for initgroups call\n");
|
|
|
b2d430 |
|
|
|
b2d430 |
@@ -2743,13 +2744,17 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
|
b2d430 |
return NULL;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
+ ep_filter = get_enterprise_principal_string_filter(state,
|
|
|
b2d430 |
+ state->opts->user_map[SDAP_AT_USER_PRINC].name,
|
|
|
b2d430 |
+ clean_name, state->opts->basic);
|
|
|
b2d430 |
state->user_base_filter =
|
|
|
b2d430 |
talloc_asprintf(state,
|
|
|
b2d430 |
- "(&(|(%s=%s)(%s=%s))(objectclass=%s)",
|
|
|
b2d430 |
+ "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
|
|
|
b2d430 |
state->opts->user_map[SDAP_AT_USER_PRINC].name,
|
|
|
b2d430 |
clean_name,
|
|
|
b2d430 |
state->opts->user_map[SDAP_AT_USER_EMAIL].name,
|
|
|
b2d430 |
clean_name,
|
|
|
b2d430 |
+ ep_filter == NULL ? "" : ep_filter,
|
|
|
b2d430 |
state->opts->user_map[SDAP_OC_USER].name);
|
|
|
b2d430 |
if (state->user_base_filter == NULL) {
|
|
|
b2d430 |
talloc_zfree(req);
|
|
|
b2d430 |
diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c
|
|
|
b2d430 |
index a3a9642171ca057be5a59dfae192803b84c501c8..0ac3ab2e416d887d00480b5123859c611f514274 100644
|
|
|
b2d430 |
--- a/src/providers/ldap/sdap_utils.c
|
|
|
b2d430 |
+++ b/src/providers/ldap/sdap_utils.c
|
|
|
b2d430 |
@@ -227,3 +227,31 @@ char *sdap_combine_filters(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
{
|
|
|
b2d430 |
return sdap_combine_filters_ex(mem_ctx, '&', base_filter, extra_filter);
|
|
|
b2d430 |
}
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
+ const char *attr_name,
|
|
|
b2d430 |
+ const char *princ,
|
|
|
b2d430 |
+ struct dp_option *sdap_basic_opts)
|
|
|
b2d430 |
+{
|
|
|
b2d430 |
+ const char *realm;
|
|
|
b2d430 |
+ char *p;
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ if (attr_name == NULL || princ == NULL || sdap_basic_opts == NULL) {
|
|
|
b2d430 |
+ return NULL;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ realm = dp_opt_get_cstring(sdap_basic_opts, SDAP_KRB5_REALM);
|
|
|
b2d430 |
+ if (realm == NULL) {
|
|
|
b2d430 |
+ return NULL;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ p = strchr(princ, '@');
|
|
|
b2d430 |
+ if (p == NULL) {
|
|
|
b2d430 |
+ return NULL;
|
|
|
b2d430 |
+ }
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ return talloc_asprintf(mem_ctx, "(%s=%.*s\\\\@%s@%s)", attr_name,
|
|
|
b2d430 |
+ (int) (p - princ),
|
|
|
b2d430 |
+ princ,
|
|
|
b2d430 |
+ p + 1, realm);
|
|
|
b2d430 |
+}
|
|
|
b2d430 |
diff --git a/src/tests/cmocka/test_nested_groups.c b/src/tests/cmocka/test_nested_groups.c
|
|
|
b2d430 |
index 6af7e1f4393992e7f16d72b86e40664487896ea1..c8e80f29fb65f8f8935fea32cd4bf3e16de7d06f 100644
|
|
|
b2d430 |
--- a/src/tests/cmocka/test_nested_groups.c
|
|
|
b2d430 |
+++ b/src/tests/cmocka/test_nested_groups.c
|
|
|
b2d430 |
@@ -31,6 +31,7 @@
|
|
|
b2d430 |
#include "providers/ldap/sdap.h"
|
|
|
b2d430 |
#include "providers/ldap/sdap_idmap.h"
|
|
|
b2d430 |
#include "providers/ldap/sdap_async_private.h"
|
|
|
b2d430 |
+#include "providers/ldap/ldap_opts.h"
|
|
|
b2d430 |
|
|
|
b2d430 |
#define TESTS_PATH "tp_" BASE_FILE_STEM
|
|
|
b2d430 |
#define TEST_CONF_DB "test_ldap_nested_groups_conf.ldb"
|
|
|
b2d430 |
@@ -1242,6 +1243,38 @@ static void nested_group_external_member_test(void **state)
|
|
|
b2d430 |
nested_group.gr_name);
|
|
|
b2d430 |
}
|
|
|
b2d430 |
|
|
|
b2d430 |
+static void test_get_enterprise_principal_string_filter(void **state)
|
|
|
b2d430 |
+{
|
|
|
b2d430 |
+ int ret;
|
|
|
b2d430 |
+ char *ep_filter;
|
|
|
b2d430 |
+ struct dp_option *no_krb5_realm_opt = default_basic_opts;
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ struct dp_option *krb5_realm_opt;
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ret = dp_copy_defaults(NULL, default_basic_opts, SDAP_OPTS_BASIC,
|
|
|
b2d430 |
+ &krb5_realm_opt);
|
|
|
b2d430 |
+ assert_int_equal(ret, EOK);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ret = dp_opt_set_string(krb5_realm_opt, SDAP_KRB5_REALM, "TEST.DOM");
|
|
|
b2d430 |
+ assert_int_equal(ret, EOK);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ep_filter = get_enterprise_principal_string_filter(NULL, NULL, NULL, NULL);
|
|
|
b2d430 |
+ assert_null(ep_filter);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p@d.c",
|
|
|
b2d430 |
+ no_krb5_realm_opt);
|
|
|
b2d430 |
+ assert_null(ep_filter);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p",
|
|
|
b2d430 |
+ krb5_realm_opt);
|
|
|
b2d430 |
+ assert_null(ep_filter);
|
|
|
b2d430 |
+
|
|
|
b2d430 |
+ ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p@d.c",
|
|
|
b2d430 |
+ krb5_realm_opt);
|
|
|
b2d430 |
+ assert_non_null(ep_filter);
|
|
|
b2d430 |
+ assert_string_equal(ep_filter, "(aBC=p\\\\@d.c@TEST.DOM)");
|
|
|
b2d430 |
+ talloc_free(ep_filter);
|
|
|
b2d430 |
+}
|
|
|
b2d430 |
|
|
|
b2d430 |
int main(int argc, const char *argv[])
|
|
|
b2d430 |
{
|
|
|
b2d430 |
@@ -1268,6 +1301,7 @@ int main(int argc, const char *argv[])
|
|
|
b2d430 |
cmocka_unit_test_setup_teardown(nested_group_external_member_test,
|
|
|
b2d430 |
nested_group_external_member_setup,
|
|
|
b2d430 |
nested_group_external_member_teardown),
|
|
|
b2d430 |
+ cmocka_unit_test(test_get_enterprise_principal_string_filter),
|
|
|
b2d430 |
};
|
|
|
b2d430 |
|
|
|
b2d430 |
/* Set debug level to invalid value so we can deside if -d 0 was used. */
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.4.11
|
|
|
b2d430 |
|