|
|
2fc102 |
From 91ab35daf713e146dfae53a67f6b86b424c897d5 Mon Sep 17 00:00:00 2001
|
|
|
2fc102 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
2fc102 |
Date: Wed, 8 Jan 2014 17:12:17 +0100
|
|
|
2fc102 |
Subject: [PATCH 47/47] LDAP: Add a new error code for malformed access control
|
|
|
2fc102 |
filter
|
|
|
2fc102 |
|
|
|
2fc102 |
https://fedorahosted.org/sssd/ticket/2164
|
|
|
2fc102 |
|
|
|
2fc102 |
The patch adds a new error code and special cases the new code so that
|
|
|
2fc102 |
access is denied and a nicer log message is shown.
|
|
|
2fc102 |
---
|
|
|
2fc102 |
src/providers/ldap/sdap_access.c | 8 +++++++-
|
|
|
2fc102 |
src/providers/ldap/sdap_async.c | 12 ++++++------
|
|
|
2fc102 |
src/providers/ldap/sdap_async_groups_ad.c | 2 +-
|
|
|
2fc102 |
src/providers/ldap/sdap_async_initgroups_ad.c | 4 ++--
|
|
|
2fc102 |
src/util/util_errors.c | 1 +
|
|
|
2fc102 |
src/util/util_errors.h | 1 +
|
|
|
2fc102 |
6 files changed, 18 insertions(+), 10 deletions(-)
|
|
|
2fc102 |
|
|
|
2fc102 |
diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
|
|
|
2fc102 |
index f0df24e7f3a855304b0cfd9d075ac67334f9bb1a..29e83eb43cf78107e2075e1aa95211abac6d2df1 100644
|
|
|
2fc102 |
--- a/src/providers/ldap/sdap_access.c
|
|
|
2fc102 |
+++ b/src/providers/ldap/sdap_access.c
|
|
|
2fc102 |
@@ -855,9 +855,15 @@ static void sdap_access_filter_get_access_done(struct tevent_req *subreq)
|
|
|
2fc102 |
}
|
|
|
2fc102 |
} else if (dp_error == DP_ERR_OFFLINE) {
|
|
|
2fc102 |
ret = sdap_access_filter_decide_offline(req);
|
|
|
2fc102 |
+ } else if (ret == ERR_INVALID_FILTER) {
|
|
|
2fc102 |
+ sss_log(SSS_LOG_ERR,
|
|
|
2fc102 |
+ "Malformed access control filter [%s]\n", state->filter);
|
|
|
2fc102 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
2fc102 |
+ ("Malformed access control filter [%s]\n", state->filter));
|
|
|
2fc102 |
+ ret = ERR_ACCESS_DENIED;
|
|
|
2fc102 |
} else {
|
|
|
2fc102 |
DEBUG(1, ("sdap_get_generic_send() returned error [%d][%s]\n",
|
|
|
2fc102 |
- ret, strerror(ret)));
|
|
|
2fc102 |
+ ret, sss_strerror(ret)));
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
goto done;
|
|
|
2fc102 |
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
|
|
|
2fc102 |
index e905d2dd6d539baadcd29aa0869ca04e845947e2..367007bde0011ed4de283b2a50b22538830a5275 100644
|
|
|
2fc102 |
--- a/src/providers/ldap/sdap_async.c
|
|
|
2fc102 |
+++ b/src/providers/ldap/sdap_async.c
|
|
|
2fc102 |
@@ -1306,9 +1306,9 @@ static errno_t sdap_get_generic_ext_step(struct tevent_req *req)
|
|
|
2fc102 |
sss_log(SSS_LOG_ERR, "LDAP connection error, %s",
|
|
|
2fc102 |
sss_ldap_err2string(lret));
|
|
|
2fc102 |
}
|
|
|
2fc102 |
- }
|
|
|
2fc102 |
-
|
|
|
2fc102 |
- else {
|
|
|
2fc102 |
+ } else if (lret == LDAP_FILTER_ERROR) {
|
|
|
2fc102 |
+ ret = ERR_INVALID_FILTER;
|
|
|
2fc102 |
+ } else {
|
|
|
2fc102 |
ret = EIO;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
goto done;
|
|
|
2fc102 |
@@ -1570,7 +1570,7 @@ static void sdap_get_generic_done(struct tevent_req *subreq)
|
|
|
2fc102 |
talloc_zfree(subreq);
|
|
|
2fc102 |
if (ret) {
|
|
|
2fc102 |
DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
|
|
|
2fc102 |
- ret, strerror(ret)));
|
|
|
2fc102 |
+ ret, sss_strerror(ret)));
|
|
|
2fc102 |
tevent_req_error(req, ret);
|
|
|
2fc102 |
return;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
@@ -1790,7 +1790,7 @@ static void sdap_x_deref_search_done(struct tevent_req *subreq)
|
|
|
2fc102 |
talloc_zfree(subreq);
|
|
|
2fc102 |
if (ret) {
|
|
|
2fc102 |
DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
|
|
|
2fc102 |
- ret, strerror(ret)));
|
|
|
2fc102 |
+ ret, sss_strerror(ret)));
|
|
|
2fc102 |
tevent_req_error(req, ret);
|
|
|
2fc102 |
return;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
@@ -2049,7 +2049,7 @@ static void sdap_asq_search_done(struct tevent_req *subreq)
|
|
|
2fc102 |
talloc_zfree(subreq);
|
|
|
2fc102 |
if (ret) {
|
|
|
2fc102 |
DEBUG(4, ("sdap_get_generic_ext_recv failed [%d]: %s\n",
|
|
|
2fc102 |
- ret, strerror(ret)));
|
|
|
2fc102 |
+ ret, sss_strerror(ret)));
|
|
|
2fc102 |
tevent_req_error(req, ret);
|
|
|
2fc102 |
return;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
diff --git a/src/providers/ldap/sdap_async_groups_ad.c b/src/providers/ldap/sdap_async_groups_ad.c
|
|
|
2fc102 |
index 9b61c697d5789c3ec3467ec52a7171f6a640ce9e..6a8a4fd139657040ff83cad10ba35a0dde4a0122 100644
|
|
|
2fc102 |
--- a/src/providers/ldap/sdap_async_groups_ad.c
|
|
|
2fc102 |
+++ b/src/providers/ldap/sdap_async_groups_ad.c
|
|
|
2fc102 |
@@ -183,7 +183,7 @@ sdap_get_ad_match_rule_members_step(struct tevent_req *subreq)
|
|
|
2fc102 |
talloc_zfree(subreq);
|
|
|
2fc102 |
if (ret != EOK) {
|
|
|
2fc102 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
2fc102 |
- ("LDAP search failed: [%s]\n", strerror(ret)));
|
|
|
2fc102 |
+ ("LDAP search failed: [%s]\n", sss_strerror(ret)));
|
|
|
2fc102 |
tevent_req_error(req, ret);
|
|
|
2fc102 |
return;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
|
|
|
2fc102 |
index 8f8f0a4cc635818dcc7f75f9da603ce2f55c820f..724f308da68daf05e2dc4cc6c64cac347ab8a0ca 100644
|
|
|
2fc102 |
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
|
|
|
2fc102 |
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
|
|
|
2fc102 |
@@ -208,7 +208,7 @@ sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq)
|
|
|
2fc102 |
talloc_zfree(subreq);
|
|
|
2fc102 |
if (ret != EOK) {
|
|
|
2fc102 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
2fc102 |
- ("LDAP search failed: [%s]\n", strerror(ret)));
|
|
|
2fc102 |
+ ("LDAP search failed: [%s]\n", sss_strerror(ret)));
|
|
|
2fc102 |
goto error;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
@@ -383,7 +383,7 @@ static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq)
|
|
|
2fc102 |
talloc_zfree(subreq);
|
|
|
2fc102 |
if (ret != EOK) {
|
|
|
2fc102 |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
2fc102 |
- ("LDAP search failed: [%s]\n", strerror(ret)));
|
|
|
2fc102 |
+ ("LDAP search failed: [%s]\n", sss_strerror(ret)));
|
|
|
2fc102 |
goto done;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
|
|
2fc102 |
index 114c8b04fd354b166d14e526a3bab6a6c0c05951..633257e8da0ef039e555a07ad8b51125114ca01c 100644
|
|
|
2fc102 |
--- a/src/util/util_errors.c
|
|
|
2fc102 |
+++ b/src/util/util_errors.c
|
|
|
2fc102 |
@@ -51,6 +51,7 @@ struct err_string error_to_str[] = {
|
|
|
2fc102 |
{ "Entry not found" }, /* ERR_NOT_FOUND */
|
|
|
2fc102 |
{ "Domain not found" }, /* ERR_DOMAIN_NOT_FOUND */
|
|
|
2fc102 |
{ "Missing configuration file" }, /* ERR_MISSING_CONF */
|
|
|
2fc102 |
+ { "Malformed search filter" }, /* ERR_INVALID_FILTER, */
|
|
|
2fc102 |
};
|
|
|
2fc102 |
|
|
|
2fc102 |
|
|
|
2fc102 |
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
|
|
2fc102 |
index bca45f392b0357c3f1c848768358cb1d47514715..1332085031dbe6935cbdc94543fa14b09fe81028 100644
|
|
|
2fc102 |
--- a/src/util/util_errors.h
|
|
|
2fc102 |
+++ b/src/util/util_errors.h
|
|
|
2fc102 |
@@ -73,6 +73,7 @@ enum sssd_errors {
|
|
|
2fc102 |
ERR_NOT_FOUND,
|
|
|
2fc102 |
ERR_DOMAIN_NOT_FOUND,
|
|
|
2fc102 |
ERR_MISSING_CONF,
|
|
|
2fc102 |
+ ERR_INVALID_FILTER,
|
|
|
2fc102 |
ERR_LAST /* ALWAYS LAST */
|
|
|
2fc102 |
};
|
|
|
2fc102 |
|
|
|
2fc102 |
--
|
|
|
2fc102 |
1.8.4.2
|
|
|
2fc102 |
|