3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek Jakub Hrozek <jhrozek@redhat.com>
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek Copyright (C) 2011 Red Hat
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek This program is free software; you can redistribute it and/or modify
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek it under the terms of the GNU General Public License as published by
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek the Free Software Foundation; either version 3 of the License, or
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek (at your option) any later version.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek This program is distributed in the hope that it will be useful,
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek but WITHOUT ANY WARRANTY; without even the implied warranty of
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek GNU General Public License for more details.
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek You should have received a copy of the GNU General Public License
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek along with this program. If not, see <http://www.gnu.org/licenses/>.
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina#define SUDO_ALL_FILTER "(" SYSDB_OBJECTCLASS "=" SYSDB_SUDO_CACHE_OC ")"
3f98cdc011bb4e8cd22c088f288b0bcdb6452492Jakub Hrozek/* ==================== Utility functions ==================== */
80941dd89fd8bc7c4a1272c304f737ce0fd5fc54Sumit Bosestatic errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time)
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina /* SUDO requires times to be in generalized time format:
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina * YYYYMMDDHHMMSS[.|,fraction][(+|-HHMM)|Z]
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina * We need to use more format strings to parse this with strptime().
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina const char *formats[] = {"%Y%m%d%H%M%SZ", /* 201212121300Z */
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina "%Y%m%d%H%M%S.0Z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina "%Y%m%d%H%M%S.0%z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina "%Y%m%d%H%M%S,0Z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina "%Y%m%d%H%M%S,0%z",
5a2cce34cf8843613b0b9dfde054b3d471dd5f3aPavel Březina for (format = formats; *format != NULL; format++) {
e6f4dbf8474e928ca7da33d6be18e94cbc66a5dePavel Březina /* strptime() may leave some fields uninitialized */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinastatic errno_t sysdb_sudo_check_time(struct sysdb_attrs *rule,
db419c61035cb262010cc8d5a4047191c2b60f05Pavel Březina ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina * From man sudoers.ldap:
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina * If multiple sudoNotBefore entries are present, the *earliest* is used.
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina * If multiple sudoNotAfter entries are present, the *last one* is used.
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek * From sudo sources, ldap.c:
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek * If either the sudoNotAfter or sudoNotBefore attributes are missing,
4be402505ba20b43361753f0e6e1589c9b029e81Jakub Hrozek * no time restriction shall be imposed.
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina /* check for sudoNotBefore */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTBEFORE,
d1f3610aefcb634f212d4c099fac102b3e4dee59Pavel Březina for (i=0; values[i] ; i++) {
d1f3610aefcb634f212d4c099fac102b3e4dee59Pavel Březina ret = sysdb_sudo_convert_time(values[i], &converted);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Invalid time format in rule [%s]!\n",
d1f3610aefcb634f212d4c099fac102b3e4dee59Pavel Březina /* Grab the earliest */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina /* check for sudoNotAfter */
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_NOTAFTER,
d1f3610aefcb634f212d4c099fac102b3e4dee59Pavel Březina for (i=0; values[i] ; i++) {
d1f3610aefcb634f212d4c099fac102b3e4dee59Pavel Březina ret = sysdb_sudo_convert_time(values[i], &converted);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_MINOR_FAILURE, "Invalid time format in rule [%s]!\n",
d1f3610aefcb634f212d4c099fac102b3e4dee59Pavel Březina /* Grab the latest */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "Rule [%s] matches time restrictions\n",
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_ALL, "Rule [%s] does not match time "
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březinaerrno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx,
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina for (i = 0; i < in_num_rules; i++) {
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina ret = sysdb_sudo_check_time(in_rules[i], now, &allowed);
c9aab1c04c399ca2d1abef74f6df22ced34983dcPavel Březina rules = talloc_realloc(tmp_ctx, rules, struct sysdb_attrs *,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinasysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina filter = talloc_asprintf(tmp_ctx, "(%s=ALL)", attr);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina ret = sss_filter_sanitize(tmp_ctx, username, &sanitized_name);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina filter = talloc_asprintf_append(filter, "(%s=%s)", attr, sanitized_name);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina filter = talloc_asprintf_append(filter, "(%s=#%"SPRIuid")", attr, uid);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina ret = sss_filter_sanitize(tmp_ctx, groupnames[i], &sanitized_name);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina filter = talloc_asprintf_append(filter, "(%s=%%%s)", attr,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina "(&(%s=%s)(%s<=%lld)(|(%s=defaults)%s(%s=+*)))",
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinasysdb_sudo_filter_defaults(TALLOC_CTX *mem_ctx)
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina return talloc_asprintf(mem_ctx, "(&(%s=%s)(%s=defaults))",
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina filter = talloc_asprintf(mem_ctx, "(&(%s=%s)(|%s))",
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březinasysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx,
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid);
61913b8f0d1ba54d82640500d7486fac5f72b030Pavel Březina filter = talloc_asprintf(mem_ctx, "(&(%s=%s)(%s=+*)(!(|%s)))",
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek * Even though we lookup initgroups with views, we don't want to use
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek * overridden group names/gids since the rules contains the original
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek ret = sysdb_initgroups_with_views(tmp_ctx, domain, username, &res);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up user %s\n", username);
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No such user %s\n", username);
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek /* Even though the database might be queried with the overriden name,
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek * the original name must be used in the filter later on
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek orig_name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL);
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, "No original name?\n");
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "A user with no UID?\n");
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek /* get secondary group names */
cda8ff6cfdef22356dc3c06ec5204344912f0f0bPavel Březina /* No groups for this user in sysdb currently */
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek sysdb_groupnames = talloc_zero_array(tmp_ctx, char *, res->count);
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek /* Start counting from 1 to exclude the user entry */
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek groupname = ldb_msg_find_attr_as_string(res->msgs[i],
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "A group with no name?");
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina /* resolve primary group */
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0);
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0Michal Zidek ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina primary_group = ldb_msg_find_attr_as_string(group_msg, SYSDB_NAME,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina sysdb_groupnames = talloc_realloc(tmp_ctx, sysdb_groupnames,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina sysdb_groupnames[num_groups - 1] = talloc_strdup(sysdb_groupnames,
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537Pavel Březina NULL_CHECK(sysdb_groupnames[num_groups - 1], ret, done);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up group [%d]: %s\n",
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek *_orig_name = talloc_steal(mem_ctx, orig_name);
dee665060ba71ff61ad223e755ae61441118fbbaJakub Hrozek *_groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozekstatic errno_t sysdb_sudo_set_refresh_time(struct sss_domain_info *domain,
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozek dn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb,
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozek lret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina lret = ldb_msg_add_string(msg, "cn", SUDORULE_SUBDIR);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Got more than one reply for base search!\n");
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina lret = ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE, NULL);
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina lret = ldb_msg_add_fmt(msg, attr_name, "%lld", (long long)value);
04d138472cc086fb7961f0d378852b09961b1a33Lukas Slebodnik "ldb operation failed: [%s](%d)[%s]\n",
04d138472cc086fb7961f0d378852b09961b1a33Lukas Slebodnik ldb_strerror(lret), lret, ldb_errstring(domain->sysdb->ldb));
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozekstatic errno_t sysdb_sudo_get_refresh_time(struct sss_domain_info *domain,
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozek dn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, SYSDB_TMPL_CUSTOM_SUBTREE,
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozek lret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina /* This entry has not been populated in LDB
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina * This is a common case, as unlike LDAP,
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina * LDB does not need to have all of its parent
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina * objects actually exist.
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov "Got more than one reply for base search!\n");
44749ce0c1fee9babee80060fa0db99eebb2ab51Pavel Březina *value = ldb_msg_find_attr_as_int(res->msgs[0], attr_name, 0);
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozekerrno_t sysdb_sudo_set_last_full_refresh(struct sss_domain_info *domain,
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozekerrno_t sysdb_sudo_get_last_full_refresh(struct sss_domain_info *domain,
f5d4b05027acce06e3509ecb68869d1c7ef37180Pavel Březina/* ==================== Purge functions ==================== */
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinastatic const char *
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_get_rule_name(struct sysdb_attrs *rule)
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_attrs_get_string(rule, SYSDB_SUDO_CACHE_AT_CN, &name);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Warning: found rule that contains none "
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina "or multiple CN values. It will be skipped.\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to obtain rule name [%d]: %s\n",
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozekstatic errno_t sysdb_sudo_purge_all(struct sss_domain_info *domain)
e2ac9be4f293b96f3c8992f1171e44bc1da5cfcaMichal Zidek base_dn = sysdb_custom_subtree_dn(tmp_ctx, domain, SUDORULE_SUBDIR);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_TRACE_FUNC, "Deleting all cached sudo rules\n");
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozek ret = sysdb_delete_recursive(domain->sysdb, base_dn, true);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "sysdb_delete_recursive failed.\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_purge_byname(struct sss_domain_info *domain,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_INTERNAL, "Deleting sudo rule %s\n", name);
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek return sysdb_delete_custom(domain, name, SUDORULE_SUBDIR);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_purge_byrules(struct sss_domain_info *dom,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_TRACE_FUNC, "About to remove rules from sudo cache\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina for (i = 0; i < num_rules; i++) {
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_MINOR_FAILURE, "Failed to delete rule "
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina "%s [%d]: %s\n", name, ret, sss_strerror(ret));
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_purge_byfilter(struct sss_domain_info *domain,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina if (filter == NULL || strcmp(filter, SUDO_ALL_FILTER) == 0) {
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fbMichal Zidek ret = sysdb_search_custom(tmp_ctx, domain, filter,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595Lukas Slebodnik DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up SUDO rules\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &rules);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to convert ldb message to "
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina "sysdb attrs [%d]: %s\n", ret, sss_strerror(ret));
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_sudo_purge_byrules(domain, rules, count);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinaerrno_t sysdb_sudo_purge(struct sss_domain_info *domain,
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_sudo_purge_byfilter(domain, delete_filter);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_sudo_purge_byrules(domain, rules, num_rules);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_transaction_commit(domain->sysdb);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina sret = sysdb_transaction_cancel(domain->sysdb);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to purge sudo cache [%d]: %s\n",
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_attrs_add_string(rule, SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_attrs_add_string(rule, SYSDB_NAME, name);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina expire = cache_timeout > 0 ? now + cache_timeout : 0;
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_attrs_add_time_t(rule, SYSDB_CACHE_EXPIRE, expire);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to add %s attribute [%d]: %s\n",
f4a1046bb88d7a0ab3617e49ae94bfa849d10645Petr Čechstatic errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
f4a1046bb88d7a0ab3617e49ae94bfa849d10645Petr Čech if (domain->case_sensitive == true || rule == NULL) {
f4a1046bb88d7a0ab3617e49ae94bfa849d10645Petr Čech ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
f4a1046bb88d7a0ab3617e49ae94bfa849d10645Petr Čech DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
a5ecc93abb01cece628fdef04ebad43bba267419Jakub Hrozek ret = sysdb_attrs_add_lower_case_string(rule, true,
f4a1046bb88d7a0ab3617e49ae94bfa849d10645Petr Čech "Unable to add %s attribute [%d]: %s\n",
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_store_rule(struct sss_domain_info *domain,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina ret = sysdb_store_custom(domain, name, SUDORULE_SUBDIR, rule);
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to store rule %s [%d]: %s\n",
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březinasysdb_sudo_store(struct sss_domain_info *domain,
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina for (i = 0; i < num_rules; i++) {
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina /* Multiple CNs are error on server side, we can just ignore this
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina * rule and save the others. Loud debug message is in logs. */
7e23edbaa7a6bbd0b461d5792535896b6a77928bPetr Čech /* Attribute SYSDB_SUDO_CACHE_AT_USER is missing but we can
7e23edbaa7a6bbd0b461d5792535896b6a77928bPetr Čech * continue with next sudoRule. */
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n");
6a31a971a376a992afb838fe60b311360c970267Jakub Hrozek sret = sysdb_transaction_cancel(domain->sysdb);
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");
68abbe716bed7c8d6790d9bec168ef44469306a1Pavel Březina DEBUG(SSSDBG_OP_FAILURE, "Unable to store sudo rules [%d]: %s\n",
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cecherrno_t sysdb_search_sudo_rules(TALLOC_CTX *mem_ctx,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech const char **attrs,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech dn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, SYSDB_TMPL_CUSTOM_SUBTREE,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech DEBUG(SSSDBG_OP_FAILURE, "Failed to build base dn\n");
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech filter = talloc_asprintf(tmp_ctx, "(%s)", SUDO_ALL_FILTER);
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n");
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech ret = sysdb_search_entry(tmp_ctx, domain->sysdb, dn,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech DEBUG(SSSDBG_MINOR_FAILURE, "Error: %d (%s)\n", ret, sss_strerror(ret));
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cechstatic struct ldb_dn *
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech const char *name)
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech return sysdb_custom_dn(mem_ctx, domain, name, SUDORULE_SUBDIR);
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cechsysdb_set_sudo_rule_attr(struct sss_domain_info *domain,
e2d26e97d62f06f65e8228b28746471cc5f73fe5Petr Cech const char *name,