providers/ipa/ipa_hbac_rules.c

	ipa_hbac_rules.c revision dd6a4fb9ae4825caf4ccb835f8b8221c96bbb6f5
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi/*
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    SSSD
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    Authors:
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        Stephen Gallagher <sgallagh@redhat.com>
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    Copyright (C) 2011 Red Hat
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    This program is free software; you can redistribute it and/or modify
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    it under the terms of the GNU General Public License as published by
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    the Free Software Foundation; either version 3 of the License, or
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    (at your option) any later version.
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    This program is distributed in the hope that it will be useful,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    but WITHOUT ANY WARRANTY; without even the implied warranty of
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    GNU General Public License for more details.
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    You should have received a copy of the GNU General Public License
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    along with this program.  If not, see <http://www.gnu.org/licenses/>.
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi*/
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi#include "util/util.h"
8900b9eb2514c07047541833286428572493a9fdStéphane Graber#include "providers/ipa/ipa_rules_common.h"
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi#include "providers/ipa/ipa_hbac_private.h"
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi#include "providers/ipa/ipa_hbac_rules.h"
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi#include "providers/ldap/sdap_async.h"
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumistruct ipa_hbac_rule_state {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    struct tevent_context *ev;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    struct sdap_handle *sh;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    struct sdap_options *opts;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    int search_base_iter;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    struct sdap_search_base **search_bases;
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    const char **attrs;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    char *rules_filter;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    char *cur_filter;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    size_t rule_count;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    struct sysdb_attrs **rules;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi};
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumistatic errno_t
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumiipa_hbac_rule_info_next(struct tevent_req *req,
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi                        struct ipa_hbac_rule_state *state);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumistatic void
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumiipa_hbac_rule_info_done(struct tevent_req *subreq);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumistruct tevent_req *
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumiipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                        struct tevent_context *ev,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                        struct sdap_handle *sh,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                        struct sdap_options *opts,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                        struct sdap_search_base **search_bases,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                        struct sysdb_attrs *ipa_host)
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi{
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    errno_t ret;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    size_t i;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    struct tevent_req *req = NULL;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    struct ipa_hbac_rule_state *state;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    const char *host_dn;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    char *host_dn_clean;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    char *host_group_clean;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    char *rule_filter;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    const char **memberof_list;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state);
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi    if (req == NULL) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n");
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        return NULL;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    if (ipa_host == NULL) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        ret = EINVAL;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n");
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        goto immediate;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn);
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi    if (ret != EOK) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n");
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        goto immediate;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    ret = sss_filter_sanitize(state, host_dn, &host_dn_clean);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    if (ret != EOK) goto immediate;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->ev = ev;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->sh = sh;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->opts = opts;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->search_bases = search_bases;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->search_base_iter = 0;
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi    state->attrs = talloc_zero_array(state, const char *, 15);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    if (state->attrs == NULL) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        ret = ENOMEM;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        goto immediate;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[0] = OBJECTCLASS;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[1] = IPA_CN;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[2] = IPA_UNIQUE_ID;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[3] = IPA_ENABLED_FLAG;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[4] = IPA_ACCESS_RULE_TYPE;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[5] = IPA_MEMBER_USER;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[6] = IPA_USER_CATEGORY;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[7] = IPA_MEMBER_SERVICE;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[8] = IPA_SERVICE_CATEGORY;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[9] = IPA_SOURCE_HOST;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[10] = IPA_SOURCE_HOST_CATEGORY;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[11] = IPA_EXTERNAL_HOST;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[12] = IPA_MEMBER_HOST;
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi    state->attrs[13] = IPA_HOST_CATEGORY;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    state->attrs[14] = NULL;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    rule_filter = talloc_asprintf(state,
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi                                  "(&(objectclass=%s)"
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                  "(%s=%s)(%s=%s)"
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                  "(|(%s=%s)(%s=%s)",
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                  IPA_HBAC_RULE,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                  IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                  IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                  IPA_HOST_CATEGORY, "all",
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                  IPA_MEMBER_HOST, host_dn_clean);
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi    if (rule_filter == NULL) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        ret = ENOMEM;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        goto immediate;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    /* Add all parent groups of ipa_hostname to the filter */
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF,
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi                                       state, &memberof_list);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    if (ret != EOK && ret != ENOENT) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n");
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    } if (ret == ENOENT) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        /* This host is not a member of any hostgroups */
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        memberof_list = talloc_array(state, const char *, 1);
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi        if (memberof_list == NULL) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi            ret = ENOMEM;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi            goto immediate;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        }
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi        memberof_list[0] = NULL;
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo    }
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo    for (i = 0; memberof_list[i]; i++) {
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo        ret = sss_filter_sanitize(state,
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo                                  memberof_list[i],
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo                                  &host_group_clean);
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo        if (ret != EOK) goto immediate;
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo        rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)",
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo                                             IPA_MEMBER_HOST,
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo                                             host_group_clean);
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo        if (rule_filter == NULL) {
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo            ret = ENOMEM;
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo            goto immediate;
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo        }
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo    }
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo    rule_filter = talloc_asprintf_append(rule_filter, "))");
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo    if (rule_filter == NULL) {
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo        ret = ENOMEM;
e30ace060250dbf0ed50cb117db8f123779d6136Sungbae Yoo        goto immediate;
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi    }
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi    state->rules_filter = talloc_steal(state, rule_filter);
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi    ret = ipa_hbac_rule_info_next(req, state);
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi    if (ret != EAGAIN) {
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi        if (ret == EOK) {
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi            /* ipa_hbac_rule_info_next should always have a search base when
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi             * called for the first time.
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi             *
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi             * For the subsequent iterations, not finding any more search bases
7cab33b107997ba449ee5e8bd70e01dc49524287KATOH Yasufumi             * is fine though (thus the function returns EOK).
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi             *
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi             * As, here, it's the first case happening, let's return EINVAL.
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi             */
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi            ret = EINVAL;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        goto immediate;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    return req;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumiimmediate:
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    if (ret == EOK) {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        tevent_req_done(req);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    } else {
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi        tevent_req_error(req, ret);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    }
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    tevent_req_post(req, ev);
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi    return req;
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi}
57da8c32f85c0255efa61ee32e260068afdaa565KATOH Yasufumi
static errno_t
ipa_hbac_rule_info_next(struct tevent_req *req,
                        struct ipa_hbac_rule_state *state)
{
    struct tevent_req *subreq;
    struct sdap_search_base *base;

    base = state->search_bases[state->search_base_iter];
    if (base == NULL) {
        return EOK;
    }

    talloc_zfree(state->cur_filter);
    state->cur_filter = sdap_combine_filters(state, state->rules_filter,
                                             base->filter);
    if (state->cur_filter == NULL) {
        return ENOMEM;
    }

    DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: "
                              "[%s][%d][%s]\n", base->basedn, base->scope,
                              state->cur_filter);

    subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh,
                                   base->basedn, base->scope,
                                   state->cur_filter, state->attrs,
                                   NULL, 0,
                                   dp_opt_get_int(state->opts->basic,
                                                  SDAP_ENUM_SEARCH_TIMEOUT),
                                   true);
    if (subreq == NULL) {
        DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n");
        return ENOMEM;
    }
    tevent_req_set_callback(subreq, ipa_hbac_rule_info_done, req);

    return EAGAIN;
}

static void
ipa_hbac_rule_info_done(struct tevent_req *subreq)
{
    errno_t ret;
    struct tevent_req *req =
            tevent_req_callback_data(subreq, struct tevent_req);
    struct ipa_hbac_rule_state *state =
            tevent_req_data(req, struct ipa_hbac_rule_state);
    int i;
    size_t rule_count;
    size_t total_count;
    struct sysdb_attrs **rules;
    struct sysdb_attrs **target;

    ret = sdap_get_generic_recv(subreq, state,
                                &rule_count,
                                &rules);
    if (ret != EOK) {
        DEBUG(SSSDBG_MINOR_FAILURE, "Could not retrieve HBAC rules\n");
        goto fail;
    }

    if (rule_count > 0) {
        total_count = rule_count + state->rule_count;
        state->rules = talloc_realloc(state, state->rules,
                                      struct sysdb_attrs *,
                                      total_count);
        if (state->rules == NULL) {
            ret = ENOMEM;
            goto fail;
        }

        i = 0;
        while (state->rule_count < total_count) {
            target = &state->rules[state->rule_count];
            *target = talloc_steal(state->rules, rules[i]);

            state->rule_count++;
            i++;
        }
    }

    state->search_base_iter++;
    ret = ipa_hbac_rule_info_next(req, state);
    if (ret == EAGAIN) {
        return;
    } else if (ret != EOK) {
        goto fail;
    } else if (ret == EOK && state->rule_count == 0) {
        DEBUG(SSSDBG_MINOR_FAILURE, "No rules apply to this host\n");
        tevent_req_error(req, ENOENT);
        return;
    }

    /* We went through all search bases and we have some results */
    tevent_req_done(req);

    return;

fail:
    tevent_req_error(req, ret);
}

errno_t
ipa_hbac_rule_info_recv(struct tevent_req *req,
                        TALLOC_CTX *mem_ctx,
                        size_t *rule_count,
                        struct sysdb_attrs ***rules)
{
    struct ipa_hbac_rule_state *state =
            tevent_req_data(req, struct ipa_hbac_rule_state);

    TEVENT_REQ_RETURN_ON_ERROR(req);

    *rule_count = state->rule_count;
    *rules = talloc_steal(mem_ctx, state->rules);

    return EOK;
}