From c333512b85f979ae0694055a36d8dafcf4105248 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Jun 2016 12:58:16 +0200
Subject: [PATCH 53/62] LDAP: include email in UPN searches
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ba9ebfc49ab3bacb96213c8620411128c09f39da)
---
src/providers/ldap/ldap_id.c | 18 +++++++++++++----
src/providers/ldap/sdap_async_initgroups.c | 32 ++++++++++++++++++++++++------
2 files changed, 40 insertions(+), 10 deletions(-)
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 0106a7b965b8d7debbefe82f60088df9ef8c608b..5b303ddbd46fd44646cdd50856c784640426ee25 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -127,12 +127,22 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
break;
case BE_FILTER_NAME:
if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
- attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name;
-
ret = sss_filter_sanitize(state, filter_value, &clean_value);
if (ret != EOK) {
goto done;
}
+ /* TODO: Do we have to check the attribute names more carefully? */
+ user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s))",
+ ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
+ clean_value,
+ ctx->opts->user_map[SDAP_AT_USER_EMAIL].name,
+ clean_value);
+ talloc_zfree(clean_value);
+ if (user_filter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
} else {
attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;
@@ -242,8 +252,8 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
goto done;
}
- if (attr_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name.\n");
+ if (attr_name == NULL && user_filter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n");
ret = EINVAL;
goto done;
}
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 17593f0a268813662d6c7fbf658b1eb4599ce3c3..0a42b18662a8fe12cf048aadfef257b5d9cb48a3 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2736,13 +2736,25 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
break;
case BE_FILTER_NAME:
if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
- search_attr = state->opts->user_map[SDAP_AT_USER_PRINC].name;
ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
if (ret != EOK) {
talloc_zfree(req);
return NULL;
}
+
+ state->user_base_filter =
+ talloc_asprintf(state,
+ "(&(|(%s=%s)(%s=%s))(objectclass=%s)",
+ state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ clean_name,
+ state->opts->user_map[SDAP_AT_USER_EMAIL].name,
+ clean_name,
+ state->opts->user_map[SDAP_OC_USER].name);
+ if (state->user_base_filter == NULL) {
+ talloc_zfree(req);
+ return NULL;
+ }
} else {
search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
@@ -2766,15 +2778,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
return NULL;
}
- state->user_base_filter =
- talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
- search_attr, clean_name,
- state->opts->user_map[SDAP_OC_USER].name);
- if (!state->user_base_filter) {
+ if (search_attr == NULL && state->user_base_filter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n");
talloc_zfree(req);
return NULL;
}
+ if (state->user_base_filter == NULL) {
+ state->user_base_filter =
+ talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
+ search_attr, clean_name,
+ state->opts->user_map[SDAP_OC_USER].name);
+ if (!state->user_base_filter) {
+ talloc_zfree(req);
+ return NULL;
+ }
+ }
+
if (use_id_mapping) {
/* When mapping IDs or looking for SIDs, we don't want to limit
* ourselves to users with a UID value. But there must be a SID to map
--
2.4.11