From 7a115884d370d8e9b2c7b110a0565fe5b78446a9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 15 Feb 2017 12:09:20 +0100
Subject: [PATCH] ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
Additionally make ipadb_find_principal public.
Related to https://pagure.io/freeipa/issue/4905
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.h | 11 +++++++
daemons/ipa-kdb/ipa_kdb_principals.c | 58 ++++++++++++++++++++++++++++--------
2 files changed, 56 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8a3f7d3c012186fd73b27abef09602b0d0e96e8d..72f2675809a3267cce30bc06c77335697c7287ad 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext,
char **db_args);
krb5_error_code ipadb_delete_principal(krb5_context kcontext,
krb5_const_principal search_for);
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result);
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+ unsigned int flags,
+ LDAPMessage *res,
+ char **principal,
+ LDAPMessage **entry);
#if KRB5_KDB_API_VERSION < 8
krb5_error_code ipadb_iterate(krb5_context kcontext,
char *match_entry,
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3bd8fb8c70c61b056a714bc0a8149bd8524beb1d..82c857430b11279b4029fa72a6d430610524ba43 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -37,6 +37,17 @@
"(objectclass=krbprincipal))" \
"(krbprincipalname=%s))"
+#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+ "(objectclass=krbprincipal)" \
+ "(objectclass=ipakrbprincipal))" \
+ "(|(ipakrbprincipalalias=%s)" \
+ "(krbprincipalname:caseIgnoreIA5Match:=%s))" \
+ "%s)"
+
+#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+ "(objectclass=krbprincipal))" \
+ "(krbprincipalname=%s)" \
+ "%s)"
static char *std_principal_attrs[] = {
"krbPrincipalName",
"krbCanonicalName",
@@ -864,10 +875,12 @@ done:
return kerr;
}
-static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
- unsigned int flags,
- char *principal,
- LDAPMessage **result)
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result)
{
krb5_error_code kerr;
char *src_filter = NULL;
@@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
goto done;
}
- if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
- ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
- esc_original_princ, esc_original_princ);
+ if (filter == NULL) {
+ if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+ esc_original_princ, esc_original_princ);
+ } else {
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+ }
} else {
- ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+ if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
+ esc_original_princ, esc_original_princ, filter);
+ } else {
+ ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+ esc_original_princ, filter);
+ }
}
if (ret == -1) {
@@ -913,11 +936,20 @@ done:
return kerr;
}
-static krb5_error_code ipadb_find_principal(krb5_context kcontext,
- unsigned int flags,
- LDAPMessage *res,
- char **principal,
- LDAPMessage **entry)
+static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
+ unsigned int flags,
+ char *principal,
+ LDAPMessage **result)
+{
+ return ipadb_fetch_principals_with_extra_filter(ipactx, flags, principal,
+ NULL, result);
+}
+
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+ unsigned int flags,
+ LDAPMessage *res,
+ char **principal,
+ LDAPMessage **entry)
{
struct ipadb_context *ipactx;
bool found = false;
--
2.12.1