From 7a115884d370d8e9b2c7b110a0565fe5b78446a9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 15 Feb 2017 12:09:20 +0100 Subject: [PATCH] ipa-kdb: add ipadb_fetch_principals_with_extra_filter() Additionally make ipadb_find_principal public. Related to https://pagure.io/freeipa/issue/4905 Reviewed-By: Alexander Bokovoy Reviewed-By: David Kupka --- daemons/ipa-kdb/ipa_kdb.h | 11 +++++++ daemons/ipa-kdb/ipa_kdb_principals.c | 58 ++++++++++++++++++++++++++++-------- 2 files changed, 56 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 8a3f7d3c012186fd73b27abef09602b0d0e96e8d..72f2675809a3267cce30bc06c77335697c7287ad 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext, char **db_args); krb5_error_code ipadb_delete_principal(krb5_context kcontext, krb5_const_principal search_for); +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result); +krb5_error_code ipadb_find_principal(krb5_context kcontext, + unsigned int flags, + LDAPMessage *res, + char **principal, + LDAPMessage **entry); #if KRB5_KDB_API_VERSION < 8 krb5_error_code ipadb_iterate(krb5_context kcontext, char *match_entry, diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 3bd8fb8c70c61b056a714bc0a8149bd8524beb1d..82c857430b11279b4029fa72a6d430610524ba43 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -37,6 +37,17 @@ "(objectclass=krbprincipal))" \ "(krbprincipalname=%s))" +#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal)" \ + "(objectclass=ipakrbprincipal))" \ + "(|(ipakrbprincipalalias=%s)" \ + "(krbprincipalname:caseIgnoreIA5Match:=%s))" \ + "%s)" + +#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \ + "(objectclass=krbprincipal))" \ + "(krbprincipalname=%s)" \ + "%s)" static char *std_principal_attrs[] = { "krbPrincipalName", "krbCanonicalName", @@ -864,10 +875,12 @@ done: return kerr; } -static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, - unsigned int flags, - char *principal, - LDAPMessage **result) +krb5_error_code +ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx, + unsigned int flags, + const char *principal, + const char *filter, + LDAPMessage **result) { krb5_error_code kerr; char *src_filter = NULL; @@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, goto done; } - if (flags & KRB5_KDB_FLAG_ALIAS_OK) { - ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, - esc_original_princ, esc_original_princ); + if (filter == NULL) { + if (flags & KRB5_KDB_FLAG_ALIAS_OK) { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER, + esc_original_princ, esc_original_princ); + } else { + ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); + } } else { - ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ); + if (flags & KRB5_KDB_FLAG_ALIAS_OK) { + ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA, + esc_original_princ, esc_original_princ, filter); + } else { + ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA, + esc_original_princ, filter); + } } if (ret == -1) { @@ -913,11 +936,20 @@ done: return kerr; } -static krb5_error_code ipadb_find_principal(krb5_context kcontext, - unsigned int flags, - LDAPMessage *res, - char **principal, - LDAPMessage **entry) +static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx, + unsigned int flags, + char *principal, + LDAPMessage **result) +{ + return ipadb_fetch_principals_with_extra_filter(ipactx, flags, principal, + NULL, result); +} + +krb5_error_code ipadb_find_principal(krb5_context kcontext, + unsigned int flags, + LDAPMessage *res, + char **principal, + LDAPMessage **entry) { struct ipadb_context *ipactx; bool found = false; -- 2.12.1