dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From c333512b85f979ae0694055a36d8dafcf4105248 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 20 Jun 2016 12:58:16 +0200
Subject: [PATCH 53/62] LDAP: include email in UPN searches

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit ba9ebfc49ab3bacb96213c8620411128c09f39da)
---
 src/providers/ldap/ldap_id.c               | 18 +++++++++++++----
 src/providers/ldap/sdap_async_initgroups.c | 32 ++++++++++++++++++++++++------
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 0106a7b965b8d7debbefe82f60088df9ef8c608b..5b303ddbd46fd44646cdd50856c784640426ee25 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -127,12 +127,22 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
         break;
     case BE_FILTER_NAME:
         if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
-            attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name;
-
             ret = sss_filter_sanitize(state, filter_value, &clean_value);
             if (ret != EOK) {
                 goto done;
             }
+            /* TODO: Do we have to check the attribute names more carefully? */
+            user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s))",
+                                   ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
+                                   clean_value,
+                                   ctx->opts->user_map[SDAP_AT_USER_EMAIL].name,
+                                   clean_value);
+            talloc_zfree(clean_value);
+            if (user_filter == NULL) {
+                DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
+                ret = ENOMEM;
+                goto done;
+            }
         } else {
             attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name;
 
@@ -242,8 +252,8 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
         goto done;
     }
 
-    if (attr_name == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name.\n");
+    if (attr_name == NULL && user_filter == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n");
         ret = EINVAL;
         goto done;
     }
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 17593f0a268813662d6c7fbf658b1eb4599ce3c3..0a42b18662a8fe12cf048aadfef257b5d9cb48a3 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2736,13 +2736,25 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
         break;
     case BE_FILTER_NAME:
         if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) {
-            search_attr =  state->opts->user_map[SDAP_AT_USER_PRINC].name;
 
             ret = sss_filter_sanitize(state, state->filter_value, &clean_name);
             if (ret != EOK) {
                 talloc_zfree(req);
                 return NULL;
             }
+
+            state->user_base_filter =
+                    talloc_asprintf(state,
+                                 "(&(|(%s=%s)(%s=%s))(objectclass=%s)",
+                                 state->opts->user_map[SDAP_AT_USER_PRINC].name,
+                                 clean_name,
+                                 state->opts->user_map[SDAP_AT_USER_EMAIL].name,
+                                 clean_name,
+                                 state->opts->user_map[SDAP_OC_USER].name);
+            if (state->user_base_filter == NULL) {
+                talloc_zfree(req);
+                return NULL;
+            }
         } else {
             search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name;
 
@@ -2766,15 +2778,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
         return NULL;
     }
 
-    state->user_base_filter =
-            talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
-                            search_attr, clean_name,
-                            state->opts->user_map[SDAP_OC_USER].name);
-    if (!state->user_base_filter) {
+    if (search_attr == NULL && state->user_base_filter == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n");
         talloc_zfree(req);
         return NULL;
     }
 
+    if (state->user_base_filter == NULL) {
+        state->user_base_filter =
+                talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)",
+                                search_attr, clean_name,
+                                state->opts->user_map[SDAP_OC_USER].name);
+        if (!state->user_base_filter) {
+            talloc_zfree(req);
+            return NULL;
+        }
+    }
+
     if (use_id_mapping) {
         /* When mapping IDs or looking for SIDs, we don't want to limit
          * ourselves to users with a UID value. But there must be a SID to map
-- 
2.4.11