From 0274cb7aa22e388e46580b288a7dd957ad955e04 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 22 Jul 2016 20:10:42 +0200
Subject: [PATCH 62/62] SDAP: add enterprise principal strings for user
searches
Unfortunately principal aliases with an alternative realm are stored in
IPA as the string representation of an enterprise principal, i.e.
name\@alt.realm@IPA.REALM. To be able to lookup the alternative
principal in LDAP properly the UPN search filter is extended to search
for this type of name as well.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 50a7a92f92e1584702bf25e61a50cb1c09c7e260)
---
src/providers/ldap/ldap_common.h | 5 +++++
src/providers/ldap/ldap_id.c | 10 +++++++--
src/providers/ldap/sdap_async_initgroups.c | 9 ++++++--
src/providers/ldap/sdap_utils.c | 28 ++++++++++++++++++++++++
src/tests/cmocka/test_nested_groups.c | 34 ++++++++++++++++++++++++++++++
5 files changed, 82 insertions(+), 4 deletions(-)
diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h
index b39f6789275cf49dd69068ae3de0628b582e4cc5..acdcf47cc5992609cdbf73e4ed9655eade55e214 100644
--- a/src/providers/ldap/ldap_common.h
+++ b/src/providers/ldap/ldap_common.h
@@ -300,6 +300,11 @@ char *sdap_combine_filters(TALLOC_CTX *mem_ctx,
const char *base_filter,
const char *extra_filter);
+char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,
+ const char *attr_name,
+ const char *princ,
+ struct dp_option *sdap_basic_opts);
+
char *sdap_get_access_filter(TALLOC_CTX *mem_ctx,
const char *base_filter);
diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c
index 5b303ddbd46fd44646cdd50856c784640426ee25..beb31fba16be76ba2ac01f99b87ee6362704f417 100644
--- a/src/providers/ldap/ldap_id.c
+++ b/src/providers/ldap/ldap_id.c
@@ -89,6 +89,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
enum idmap_error_code err;
char *sid;
char *user_filter = NULL;
+ char *ep_filter;
req = tevent_req_create(memctx, &state, struct users_get_state);
if (!req) return NULL;
@@ -131,12 +132,17 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx,
if (ret != EOK) {
goto done;
}
+
+ ep_filter = get_enterprise_principal_string_filter(state,
+ ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
+ clean_value, ctx->opts->basic);
/* TODO: Do we have to check the attribute names more carefully? */
- user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s))",
+ user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s)%s)",
ctx->opts->user_map[SDAP_AT_USER_PRINC].name,
clean_value,
ctx->opts->user_map[SDAP_AT_USER_EMAIL].name,
- clean_value);
+ clean_value,
+ ep_filter == NULL ? "" : ep_filter);
talloc_zfree(clean_value);
if (user_filter == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n");
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 0a42b18662a8fe12cf048aadfef257b5d9cb48a3..7029427724cc37a4508e11ef5448b421e94dc787 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -2682,7 +2682,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
int ret;
char *clean_name;
bool use_id_mapping;
- const char *search_attr;
+ const char *search_attr = NULL;
+ char *ep_filter;
DEBUG(SSSDBG_TRACE_ALL, "Retrieving info for initgroups call\n");
@@ -2743,13 +2744,17 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
return NULL;
}
+ ep_filter = get_enterprise_principal_string_filter(state,
+ state->opts->user_map[SDAP_AT_USER_PRINC].name,
+ clean_name, state->opts->basic);
state->user_base_filter =
talloc_asprintf(state,
- "(&(|(%s=%s)(%s=%s))(objectclass=%s)",
+ "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)",
state->opts->user_map[SDAP_AT_USER_PRINC].name,
clean_name,
state->opts->user_map[SDAP_AT_USER_EMAIL].name,
clean_name,
+ ep_filter == NULL ? "" : ep_filter,
state->opts->user_map[SDAP_OC_USER].name);
if (state->user_base_filter == NULL) {
talloc_zfree(req);
diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c
index a3a9642171ca057be5a59dfae192803b84c501c8..0ac3ab2e416d887d00480b5123859c611f514274 100644
--- a/src/providers/ldap/sdap_utils.c
+++ b/src/providers/ldap/sdap_utils.c
@@ -227,3 +227,31 @@ char *sdap_combine_filters(TALLOC_CTX *mem_ctx,
{
return sdap_combine_filters_ex(mem_ctx, '&', base_filter, extra_filter);
}
+
+char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx,
+ const char *attr_name,
+ const char *princ,
+ struct dp_option *sdap_basic_opts)
+{
+ const char *realm;
+ char *p;
+
+ if (attr_name == NULL || princ == NULL || sdap_basic_opts == NULL) {
+ return NULL;
+ }
+
+ realm = dp_opt_get_cstring(sdap_basic_opts, SDAP_KRB5_REALM);
+ if (realm == NULL) {
+ return NULL;
+ }
+
+ p = strchr(princ, '@');
+ if (p == NULL) {
+ return NULL;
+ }
+
+ return talloc_asprintf(mem_ctx, "(%s=%.*s\\\\@%s@%s)", attr_name,
+ (int) (p - princ),
+ princ,
+ p + 1, realm);
+}
diff --git a/src/tests/cmocka/test_nested_groups.c b/src/tests/cmocka/test_nested_groups.c
index 6af7e1f4393992e7f16d72b86e40664487896ea1..c8e80f29fb65f8f8935fea32cd4bf3e16de7d06f 100644
--- a/src/tests/cmocka/test_nested_groups.c
+++ b/src/tests/cmocka/test_nested_groups.c
@@ -31,6 +31,7 @@
#include "providers/ldap/sdap.h"
#include "providers/ldap/sdap_idmap.h"
#include "providers/ldap/sdap_async_private.h"
+#include "providers/ldap/ldap_opts.h"
#define TESTS_PATH "tp_" BASE_FILE_STEM
#define TEST_CONF_DB "test_ldap_nested_groups_conf.ldb"
@@ -1242,6 +1243,38 @@ static void nested_group_external_member_test(void **state)
nested_group.gr_name);
}
+static void test_get_enterprise_principal_string_filter(void **state)
+{
+ int ret;
+ char *ep_filter;
+ struct dp_option *no_krb5_realm_opt = default_basic_opts;
+
+ struct dp_option *krb5_realm_opt;
+
+ ret = dp_copy_defaults(NULL, default_basic_opts, SDAP_OPTS_BASIC,
+ &krb5_realm_opt);
+ assert_int_equal(ret, EOK);
+
+ ret = dp_opt_set_string(krb5_realm_opt, SDAP_KRB5_REALM, "TEST.DOM");
+ assert_int_equal(ret, EOK);
+
+ ep_filter = get_enterprise_principal_string_filter(NULL, NULL, NULL, NULL);
+ assert_null(ep_filter);
+
+ ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p@d.c",
+ no_krb5_realm_opt);
+ assert_null(ep_filter);
+
+ ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p",
+ krb5_realm_opt);
+ assert_null(ep_filter);
+
+ ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p@d.c",
+ krb5_realm_opt);
+ assert_non_null(ep_filter);
+ assert_string_equal(ep_filter, "(aBC=p\\\\@d.c@TEST.DOM)");
+ talloc_free(ep_filter);
+}
int main(int argc, const char *argv[])
{
@@ -1268,6 +1301,7 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(nested_group_external_member_test,
nested_group_external_member_setup,
nested_group_external_member_teardown),
+ cmocka_unit_test(test_get_enterprise_principal_string_filter),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
--
2.4.11