ipa_hbac_common.c revision b860f8b6b6b03982c80268e9f6fd35f6455b6b37
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Stephen Gallagher <sgallagh@redhat.com>
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher Copyright (C) 2011 Red Hat
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is free software; you can redistribute it and/or modify
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher it under the terms of the GNU General Public License as published by
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher the Free Software Foundation; either version 3 of the License, or
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher (at your option) any later version.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher This program is distributed in the hope that it will be useful,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher but WITHOUT ANY WARRANTY; without even the implied warranty of
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher GNU General Public License for more details.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher You should have received a copy of the GNU General Public License
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher along with this program. If not, see <http://www.gnu.org/licenses/>.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher#include "providers/ipa/ipa_hbac_private.h"
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorceipa_hbac_save_list(struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *naming_attribute, size_t count,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce base_dn = sysdb_custom_subtree_dn(domain->sysdb, tmp_ctx,
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = sysdb_delete_recursive(domain->sysdb, base_dn, true);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_delete_recursive failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (c = 0; c < count; c++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(list[c], naming_attribute, &el);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_attrs_get_el failed.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("[%s] not found.\n", naming_attribute));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher object_name = talloc_strndup(tmp_ctx, (const char *)el->values[0].data,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(9, ("Object name: [%s].\n", object_name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_store_custom failed.\n"));
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorceipa_hbac_sysdb_save(struct sss_domain_info *domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *primary_subdir, const char *attr_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t primary_count, struct sysdb_attrs **primary,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *group_subdir, const char *groupattr_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher size_t group_count, struct sysdb_attrs **groups)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if ((primary_count == 0 || primary == NULL)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* There always has to be at least one
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * primary entry.
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Save the entries and groups to the cache */
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to start transaction\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First, save the specific entries */
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = ipa_hbac_save_list(domain, true, primary_subdir,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not save %s. [%d][%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Second, save the groups */
e0404de84c31d2387bb244d018a5cac8d01f8b19Simo Sorce ret = ipa_hbac_save_list(domain, true, group_subdir,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not save %s. [%d][%s]\n",
21d485184df986e1a123f70c689517386e51a5ceMichal Zidek DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to commit transaction\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(0, ("Could not cancel sysdb transaction\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(3, ("Error [%d][%s]\n", ret, strerror(ret)));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherreplace_attribute_name(const char *old_name,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < count; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_replace_name(list[i], old_name, new_name);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("sysdb_attrs_replace_name failed.\n"));
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozekcreate_empty_grouplist(struct hbac_request_element *el)
3d8a87081a6cd197acbd355b5a39111669ec2aa6Jakub Hrozek el->groups = talloc_array(el, const char *, 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher/********************************************
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * Functions for handling conversion to the *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * HBAC evaluator format *
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ********************************************/
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* First create an array of rules */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rules = talloc_array(tmp_ctx, struct hbac_rule *,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Create each rule one at a time */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; i < hbac_ctx->rule_count ; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_attrs_to_rule(new_rules, hbac_ctx, i, &(new_rules[i]));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Create the eval request */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_ctx_to_eval_request(tmp_ctx, hbac_ctx, &new_request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not construct eval request\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *rules = talloc_steal(mem_ctx, new_rules);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *request = talloc_steal(mem_ctx, new_request);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule = talloc_zero(mem_ctx, struct hbac_rule);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_el(hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(4, ("rule has no name, assuming '(none)'.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher new_rule->name = talloc_strdup(new_rule, "(none)");
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("Processing rule [%s]\n", new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_bool(hbac_ctx->rules[idx], IPA_ENABLED_FLAG,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_string(hbac_ctx->rules[idx],
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp(rule_type, IPA_HBAC_ALLOW) != 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("Rule [%s] is not an ALLOW rule\n", new_rule->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the users */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse users for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the services */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = hbac_service_attrs_to_rule(new_rule,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse services for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the target hosts */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse target hosts for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the source hosts */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not parse source hosts for rule [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_get_category(struct sysdb_attrs *attrs,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = sysdb_attrs_get_string_array(attrs, category_attr,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher for (i = 0; categories[i]; i++) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (strcasecmp("all", categories[i]) == 0) {
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(5, ("Category is set to 'all'.\n"));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(9, ("Unsupported user category [%s].\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_user_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **user_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_service_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **svc_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_host_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **host_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct sss_domain_info *domain = hbac_ctx_be(hbac_ctx)->domain;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher eval_req = talloc_zero(tmp_ctx, struct hbac_eval_req);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose /* Get user the user name and groups,
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose * take care of subdomain users as well */
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose user_dom = new_subdomain(tmp_ctx, domain, pd->domain, NULL, NULL);
94a66f84bd3c28fcabffeb84c682dccf89d89c2bSumit Bose DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce ret = hbac_eval_user_element(eval_req, user_dom->sysdb, user_dom,
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_user_element(eval_req, domain->sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the PAM service and service groups */
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_service_element(eval_req, domain->sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Get the source host */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher if (pd->rhost == NULL || pd->rhost[0] == '\0') {
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher /* If we haven't been passed an rhost,
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * the rhost is unknown. This will fail
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * to match any rule requiring the
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * source host.
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_host_element(eval_req, domain->sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* The target host is always the current machine */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher thost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Missing ipa_hostname, this should never happen.\n"));
b860f8b6b6b03982c80268e9f6fd35f6455b6b37Simo Sorce ret = hbac_eval_host_element(eval_req, domain->sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *request = talloc_steal(mem_ctx, eval_req);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_user_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **user_element)
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher unsigned int i;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher unsigned int num_groups = 0;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users = talloc_zero(tmp_ctx, struct hbac_request_element);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Read the originalMemberOf attribute
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * This will give us the list of both POSIX and
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher * non-POSIX groups that this user belongs to.
2ce00e0d3896bb42db169d1e79553a81ca837a22Simo Sorce ret = sysdb_search_user_by_name(tmp_ctx, sysdb, domain,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(1, ("Could not determine user memberships for [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("No groups for [%s]\n", users->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("[%d] groups for [%s]\n", el->num_values, users->name));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups = talloc_array(users, const char *, el->num_values + 1);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher member_dn = (const char *)el->values[i].data;
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher ret = get_ipa_groupname(users->groups, sysdb, member_dn,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(3, ("Parse error on [%s]\n", member_dn));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(7, ("Added group [%s] for user [%s]\n",
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Skip entries that are not groups */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher DEBUG(8, ("Skipping non-group memberOf [%s]\n", member_dn));
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher /* Shrink the array memory */
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher users->groups = talloc_realloc(users, users->groups, const char *,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher *user_element = talloc_steal(mem_ctx, users);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_service_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **svc_element)
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher svc = talloc_zero(tmp_ctx, struct hbac_request_element);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Look up the service to get its originalMemberOf entries */
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher ret = sysdb_search_entry(tmp_ctx, sysdb, svc_dn,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* We won't be able to identify any groups
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * This rule will only match the name or
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * a service category of ALL
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher DEBUG(1, ("More than one result for a BASE search!\n"));
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* Service is not a member of any groups
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * This rule will only match the name or
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * a service category of ALL
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups = talloc_array(svc, const char *, el->num_values + 1);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher for (i = j = 0; i < el->num_values; i++) {
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher ret = get_ipa_servicegroupname(tmp_ctx, sysdb,
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher /* ENOENT means we had a memberOf entry that wasn't a
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher * service group. We'll just ignore those (could be
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher svc->groups[j] = talloc_steal(svc->groups, name);
f5e22261a2ff95f2a61f4f199fffb8de79668110Stephen Gallagher *svc_element = talloc_steal(mem_ctx, svc);
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagherhbac_eval_host_element(TALLOC_CTX *mem_ctx,
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher struct hbac_request_element **host_element)
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
e134a6af42102c8d865e82bf89e0b8c5a40fb5faStephen Gallagher host = talloc_zero(tmp_ctx, struct hbac_request_element);
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher /* We don't know the host (probably an rhost)
9b72b00ebcfd6225a4e139619c8e18d44a448f87Stephen Gallagher * So we can't determine it's groups either.
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* Look up the host to get its originalMemberOf entries */
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher ret = sysdb_search_entry(tmp_ctx, sysdb, host_dn,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* We won't be able to identify any groups
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * This rule will only match the name or
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * a host category of ALL
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher DEBUG(1, ("More than one result for a BASE search!\n"));
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* Host is not a member of any groups
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * This rule will only match the name or
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * a host category of ALL
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups = talloc_array(host, const char *, el->num_values + 1);
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher for (i = j = 0; i < el->num_values; i++) {
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher ret = get_ipa_hostgroupname(tmp_ctx, sysdb,
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher if (ret != EOK && ret != ENOENT) goto done;
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher /* ENOENT means we had a memberOf entry that wasn't a
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher * host group. We'll just ignore those (could be
c1fcc832ccfc237caac8b99be238cf2d598f908cStephen Gallagher host->groups[j] = talloc_steal(host->groups, name);