providers/ipa/ipa_hbac_users.c

	ipa_hbac_users.c revision 1dd195b9a3df01a0ef51e9f963201f1f79d1f90b
02c335c23bf5fa225a467c19f2c063fb0dc7b8c3Timo Sirainen/*
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    SSSD
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
96308127e006bb3b1108093bcf4cc1fd9481cb7aTimo Sirainen    Authors:
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        Stephen Gallagher <sgallagh@redhat.com>
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
5ef7efd45b1adf3a09cf9c229cf0a3d3d54405a2Timo Sirainen    Copyright (C) 2011 Red Hat
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    This program is free software; you can redistribute it and/or modify
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    it under the terms of the GNU General Public License as published by
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    the Free Software Foundation; either version 3 of the License, or
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    (at your option) any later version.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    This program is distributed in the hope that it will be useful,
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen    but WITHOUT ANY WARRANTY; without even the implied warranty of
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    GNU General Public License for more details.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    You should have received a copy of the GNU General Public License
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    along with this program.  If not, see <http://www.gnu.org/licenses/>.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen*/
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen#include "util/util.h"
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen#include "providers/ipa/ipa_hbac_private.h"
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen#include "providers/ldap/sdap_async.h"
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainenstruct hbac_update_groups_state {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    struct hbac_ctx *hbac_ctx;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    struct sysdb_ctx *sysdb;
e54512a5189192fe72d1e2c53927c98c5ac920b4Timo Sirainen    struct sss_domain_info *domain;
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen};
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen/* Returns EOK and populates groupname if
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen * the group_dn is actually a group.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen * Returns ENOENT if group_dn does not point
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen * at a a group.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen * Returns EINVAL if there is a parsing error.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen * Returns ENOMEM as appropriate
d97860e16db095a14038d50efda1e4bb64375128Timo Sirainen */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainenerrno_t
d97860e16db095a14038d50efda1e4bb64375128Timo Sirainenget_ipa_groupname(TALLOC_CTX *mem_ctx,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                  struct sysdb_ctx *sysdb,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                  const char *group_dn,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                  const char **groupname)
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen{
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    errno_t ret;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    struct ldb_dn *dn;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    const char *rdn_name;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    const char *group_comp_name;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    const char *account_comp_name;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    const struct ldb_val *rdn_val;
feaa6a3d82ea61496ced1f83a726ff33047c7da2Timo Sirainen    const struct ldb_val *group_comp_val;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    const struct ldb_val *account_comp_val;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    /* This is an IPA-specific hack. It may not
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen     * work for non-IPA servers and will need to
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen     * be changed if SSSD ever supports HBAC on
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen     * a non-IPA server.
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen     */
8bb360f9e5de1c25e4f875205bb06e8bf15dae14Timo Sirainen    *groupname = NULL;
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), group_dn);
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    if (dn == NULL) {
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen        ret = ENOMEM;
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen        goto done;
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    }
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen
cd83124e5d070a016c590bb0b1096d7828c7b6adTimo Sirainen    if (!ldb_dn_validate(dn)) {
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen        ret = EINVAL;
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen        goto done;
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    }
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    if (ldb_dn_get_comp_num(dn) < 4) {
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen        /* RDN, groups, accounts, and at least one DC= */
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen        /* If it's fewer, it's not a group DN */
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen        ret = ENOENT;
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen        goto done;
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen    }
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen    /* If the RDN name is 'cn' */
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen    rdn_name = ldb_dn_get_rdn_name(dn);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    if (rdn_name == NULL) {
e2eac5bb5637c2d4aaf453389750740931822b92Timo Sirainen        /* Shouldn't happen if ldb_dn_validate()
e2eac5bb5637c2d4aaf453389750740931822b92Timo Sirainen         * passed, but we'll be careful.
19e8adccba16ff419f5675b1575358c2956dce83Timo Sirainen         */
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen        ret = EINVAL;
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen        goto done;
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen    }
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen    if (strcasecmp("cn", rdn_name) != 0) {
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen        /* RDN has the wrong attribute name.
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen         * It's not a group.
c68f28e2cf5f9621511bece0414335e551dc82c6Timo Sirainen         */
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen        ret = ENOENT;
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen        goto done;
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen    }
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen    /* and the second component is "cn=groups" */
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen    group_comp_name = ldb_dn_get_component_name(dn, 1);
19e8adccba16ff419f5675b1575358c2956dce83Timo Sirainen    if (strcasecmp("cn", group_comp_name) != 0) {
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen        /* The second component name is not "cn" */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        ret = ENOENT;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        goto done;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    }
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    group_comp_val = ldb_dn_get_component_val(dn, 1);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    if (strncasecmp("groups",
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    (const char *) group_comp_val->data,
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen                    group_comp_val->length) != 0) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        /* The second component value is not "groups" */
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen        ret = ENOENT;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        goto done;
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    }
ad48319996942463675b53877092ab7e13a7a75aTimo Sirainen
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    /* and the third component is "accounts" */
ad48319996942463675b53877092ab7e13a7a75aTimo Sirainen    account_comp_name = ldb_dn_get_component_name(dn, 2);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    if (strcasecmp("cn", account_comp_name) != 0) {
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen        /* The third component name is not "cn" */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        ret = ENOENT;
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen        goto done;
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen    }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
7631f16156aca373004953fe6b01a7f343fb47e0Timo Sirainen    account_comp_val = ldb_dn_get_component_val(dn, 2);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    if (strncasecmp("accounts",
5ef7efd45b1adf3a09cf9c229cf0a3d3d54405a2Timo Sirainen                    (const char *) account_comp_val->data,
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen                    account_comp_val->length) != 0) {
5ef7efd45b1adf3a09cf9c229cf0a3d3d54405a2Timo Sirainen        /* The third component value is not "accounts" */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        ret = ENOENT;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        goto done;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    /* Then the value of the RDN is the group name */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    rdn_val = ldb_dn_get_rdn_val(dn);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    *groupname = talloc_strndup(mem_ctx,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                                (const char *)rdn_val->data,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                                rdn_val->length);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    if (*groupname == NULL) {
c68f28e2cf5f9621511bece0414335e551dc82c6Timo Sirainen        ret = ENOMEM;
c68f28e2cf5f9621511bece0414335e551dc82c6Timo Sirainen        goto done;
c68f28e2cf5f9621511bece0414335e551dc82c6Timo Sirainen    }
c68f28e2cf5f9621511bece0414335e551dc82c6Timo Sirainen
c68f28e2cf5f9621511bece0414335e551dc82c6Timo Sirainen    ret = EOK;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainendone:
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    talloc_free(dn);
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    return ret;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen}
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainenerrno_t
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainenhbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                        struct sysdb_ctx *sysdb,
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen                        struct sss_domain_info *domain,
0f3d4fbcf88e2ffd674893aed8cc1288fe17d290Timo Sirainen                        const char *rule_name,
0f3d4fbcf88e2ffd674893aed8cc1288fe17d290Timo Sirainen                        struct sysdb_attrs *rule_attrs,
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen                        struct hbac_rule_element **users)
d97860e16db095a14038d50efda1e4bb64375128Timo Sirainen{
d97860e16db095a14038d50efda1e4bb64375128Timo Sirainen    errno_t ret;
b780aa272b742a43579cdb523cc79cc8d4521306Timo Sirainen    TALLOC_CTX *tmp_ctx = NULL;
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen    struct hbac_rule_element *new_users = NULL;
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen    struct ldb_message_element *el = NULL;
7e06256923a3fc199687c5ac38818b7adb5e126dTimo Sirainen    struct ldb_message **msgs = NULL;
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    char *filter;
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen    char *member_dn;
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen    const char *member_user;
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen    const char *attrs[] = { SYSDB_NAME, NULL };
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    size_t num_users = 0;
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    size_t num_groups = 0;
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    const char *name;
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    size_t count;
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    size_t i;
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    tmp_ctx = talloc_new(mem_ctx);
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    if (tmp_ctx == NULL) return ENOMEM;
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    new_users = talloc_zero(tmp_ctx, struct hbac_rule_element);
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    if (new_users == NULL) {
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen        ret = ENOMEM;
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen        goto done;
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    }
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    DEBUG(7, ("Processing users for rule [%s]\n", rule_name));
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen    ret = hbac_get_category(rule_attrs, IPA_USER_CATEGORY,
7a54d58280aad8a64f266c61273ea1e8dff511a3Timo Sirainen                            &new_users->category);
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    if (ret != EOK) {
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen        DEBUG(1, ("Could not identify user categories\n"));
7e06256923a3fc199687c5ac38818b7adb5e126dTimo Sirainen        goto done;
7e06256923a3fc199687c5ac38818b7adb5e126dTimo Sirainen    }
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    if (new_users->category & HBAC_CATEGORY_ALL) {
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen        /* Short-cut to the exit */
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen        ret = EOK;
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen        goto done;
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    }
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    ret = sysdb_attrs_get_el(rule_attrs, IPA_MEMBER_USER, &el);
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    if (ret != EOK && ret != ENOENT) {
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen        DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen        goto done;
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    }
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    if (ret == ENOENT || el->num_values == 0) {
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen        el->num_values = 0;
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen        DEBUG(4, ("No user specified, rule will never apply.\n"));
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    }
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen    new_users->names = talloc_array(new_users,
b66484774d4059fa10671cbc50b6489fa40b117fTimo Sirainen                                    const char *,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                                    el->num_values + 1);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    if (new_users->names == NULL) {
275cc4c040899c132b2acbe2fcac48ba4c1abbcfTimo Sirainen        ret = ENOMEM;
275cc4c040899c132b2acbe2fcac48ba4c1abbcfTimo Sirainen        goto done;
7e06256923a3fc199687c5ac38818b7adb5e126dTimo Sirainen    }
e3aeeb634245e80d4f643f8d2eea11d6b72336d8Timo Sirainen
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    new_users->groups = talloc_array(new_users,
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen                                     const char *,
1e73a28edcf5ec105d238a7d7c95c390e8c84c8fTimo Sirainen                                     el->num_values + 1);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    if (new_users->groups == NULL) {
b19a1420da0618a10edf67c2cfd13c8c8633057aTimo Sirainen        ret = ENOMEM;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        goto done;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen    for (i = 0; i < el->num_values; i++) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        member_user = (const char *)el->values[i].data;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        ret = sss_filter_sanitize(tmp_ctx, member_user, &member_dn);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        if (ret != EOK) goto done;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        filter = talloc_asprintf(member_dn, "(%s=%s)",
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                                 SYSDB_ORIG_DN, member_dn);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        if (filter == NULL) {
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen            ret = ENOMEM;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            goto done;
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen        }
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        /* First check if this is a user */
8cf32443413f811d514123c5c74c95c87594b0e3Timo Sirainen        ret = sysdb_search_users(tmp_ctx, sysdb, filter, attrs, &count, &msgs);
8cf32443413f811d514123c5c74c95c87594b0e3Timo Sirainen        if (ret != EOK && ret != ENOENT) goto done;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        if (ret == EOK && count == 0) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            ret = ENOENT;
8cf32443413f811d514123c5c74c95c87594b0e3Timo Sirainen        }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        if (ret == EOK) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            if (count > 1) {
d6a1fa1d65c6d1996937802c2482c0f14dd821a7Timo Sirainen                DEBUG(1, ("Original DN matched multiple users. Skipping \n"));
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                talloc_zfree(member_dn);
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                continue;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            /* Original DN matched a single user. Get the username */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL);
8cf32443413f811d514123c5c74c95c87594b0e3Timo Sirainen            if (name == NULL) {
8cf32443413f811d514123c5c74c95c87594b0e3Timo Sirainen                DEBUG(1, ("Attribute is missing!\n"));
96308127e006bb3b1108093bcf4cc1fd9481cb7aTimo Sirainen                ret = EFAULT;
4d2211dac61c615c5bdfd501ea54d46c89d41b0fTimo Sirainen                goto done;
feaa6a3d82ea61496ced1f83a726ff33047c7da2Timo Sirainen            }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            new_users->names[num_users] = talloc_strdup(new_users->names,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                                                        name);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            if (new_users->names[num_users] == NULL) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                ret = ENOMEM;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                goto done;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            DEBUG(8, ("Added user [%s] to rule [%s]\n",
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                      name, rule_name));
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            num_users++;
8cf32443413f811d514123c5c74c95c87594b0e3Timo Sirainen        } else {
d9a7e950a9cd21f2b4a90ec7759fca9e8fcc7995Timo Sirainen            /* Check if it is a group instead */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            ret = sysdb_search_groups(tmp_ctx, sysdb,
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                                      filter, attrs, &count, &msgs);
8cf32443413f811d514123c5c74c95c87594b0e3Timo Sirainen            if (ret != EOK && ret != ENOENT) goto done;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            if (ret == EOK && count == 0) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                ret = ENOENT;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            }
ccc895c0358108d2304239063e940b7d75f364abTimo Sirainen
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            if (ret == EOK) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                if (count > 1) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    DEBUG(1, ("Original DN matched multiple groups. "
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                              "Skipping\n"));
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    talloc_zfree(member_dn);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    continue;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
17d77154db31c5c9020004da172b071c2f11e662Timo Sirainen                /* Original DN matched a single group. Get the groupname */
17d77154db31c5c9020004da172b071c2f11e662Timo Sirainen                name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                if (name == NULL) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    DEBUG(1, ("Attribute is missing!\n"));
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    ret = EFAULT;
9f19a50d5966643c4d1c5ca06868ac2ad31bc4d5Timo Sirainen                    goto done;
9f19a50d5966643c4d1c5ca06868ac2ad31bc4d5Timo Sirainen                }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                new_users->groups[num_groups] =
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                        talloc_strdup(new_users->groups, name);
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                if (new_users->groups[num_groups] == NULL) {
ee794ada9a89699f7ee06e3b0fd2da88670165d2Timo Sirainen                    ret = ENOMEM;
9f19a50d5966643c4d1c5ca06868ac2ad31bc4d5Timo Sirainen                    goto done;
9f19a50d5966643c4d1c5ca06868ac2ad31bc4d5Timo Sirainen                }
9f19a50d5966643c4d1c5ca06868ac2ad31bc4d5Timo Sirainen                DEBUG(8, ("Added POSIX group [%s] to rule [%s]\n",
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                          name, rule_name));
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                num_groups++;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            } else {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                /* If the group still matches the group pattern,
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                 * we can assume it is a non-POSIX group.
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                 */
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                ret = get_ipa_groupname(new_users->groups, sysdb, member_user,
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen                                        &new_users->groups[num_groups]);
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                if (ret == EOK) {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    DEBUG(8, ("Added non-POSIX group [%s] to rule [%s]\n",
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                              new_users->groups[num_groups], rule_name));
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    num_groups++;
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                } else {
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    /* Not a group, so we don't care about it */
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                    DEBUG(1, ("[%s] does not map to either a user or group. "
61993365dd2edd896a7aa728044d9f18a21ddfebTimo Sirainen                              "Skipping\n", member_dn));
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen                }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen            }
c6a57378d3c54988f525f81e19c0c5d132a0770dTimo Sirainen        }
        talloc_zfree(member_dn);
    }
    new_users->names[num_users] = NULL;
    new_users->groups[num_groups] = NULL;

    /* Shrink the arrays down to their real sizes */
    new_users->names = talloc_realloc(new_users, new_users->names,
                                      const char *, num_users + 1);
    if (new_users->names == NULL) {
        ret = ENOMEM;
        goto done;
    }

    new_users->groups = talloc_realloc(new_users, new_users->groups,
                                      const char *, num_groups + 1);
    if (new_users->groups == NULL) {
        ret = ENOMEM;
        goto done;
    }

    ret = EOK;
done:
    if (ret == EOK) {
        *users = talloc_steal(mem_ctx, new_users);
    }
    talloc_free(tmp_ctx);

    return ret;
}