ipa_hbac_users.c revision 1243e093fd31c5660adf1bb3dd477d6935a755be
/*
SSSD
Authors:
Stephen Gallagher <sgallagh@redhat.com>
Copyright (C) 2011 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "providers/ipa/ipa_hbac_private.h"
#include "providers/ldap/sdap_async.h"
/* Returns EOK and populates groupname if
* the group_dn is actually a group.
* Returns ENOENT if group_dn does not point
* at a a group.
* Returns EINVAL if there is a parsing error.
* Returns ENOMEM as appropriate
*/
const char *group_dn,
const char **groupname)
{
const char *rdn_name;
const char *group_comp_name;
const char *account_comp_name;
const struct ldb_val *group_comp_val;
const struct ldb_val *account_comp_val;
/* This is an IPA-specific hack. It may not
* work for non-IPA servers and will need to
* be changed if SSSD ever supports HBAC on
* a non-IPA server.
*/
goto done;
}
if (!ldb_dn_validate(dn)) {
goto done;
}
/* RDN, groups, accounts, and at least one DC= */
/* If it's fewer, it's not a group DN */
goto done;
}
/* If the RDN name is 'cn' */
/* Shouldn't happen if ldb_dn_validate()
* passed, but we'll be careful.
*/
goto done;
}
/* RDN has the wrong attribute name.
* It's not a group.
*/
goto done;
}
/* and the second component is "cn=groups" */
/* The second component name is not "cn" */
goto done;
}
if (strncasecmp("groups",
(const char *) group_comp_val->data,
group_comp_val->length) != 0) {
/* The second component value is not "groups" */
goto done;
}
/* and the third component is "accounts" */
/* The third component name is not "cn" */
goto done;
}
if (strncasecmp("accounts",
(const char *) account_comp_val->data,
account_comp_val->length) != 0) {
/* The third component value is not "accounts" */
goto done;
}
/* Then the value of the RDN is the group name */
goto done;
}
done:
return ret;
}
struct sss_domain_info *domain,
const char *rule_name,
struct sysdb_attrs *rule_attrs,
struct hbac_rule_element **users)
{
char *filter;
char *member_dn;
const char *member_user;
size_t num_groups = 0;
const char *name;
size_t i;
goto done;
}
goto done;
}
/* Short-cut to the exit */
goto done;
}
goto done;
}
el->num_values = 0;
"No user specified, rule will never apply.\n");
}
const char *,
goto done;
}
const char *,
goto done;
}
for (i = 0; i < el->num_values; i++) {
goto done;
}
/* First check if this is a user */
}
if (count > 1) {
"Original DN matched multiple users. Skipping \n");
continue;
}
/* Original DN matched a single user. Get the username */
goto done;
}
name);
goto done;
}
num_users++;
} else {
/* Check if it is a group instead */
}
if (count > 1) {
"Original DN matched multiple groups. "
"Skipping\n");
continue;
}
/* Original DN matched a single group. Get the groupname */
goto done;
}
goto done;
}
"Added POSIX group [%s] to rule [%s]\n",
num_groups++;
} else {
/* If the group still matches the group pattern,
* we can assume it is a non-POSIX group.
*/
"Added non-POSIX group [%s] to rule [%s]\n",
num_groups++;
} else {
/* Not a group, so we don't care about it */
"[%s] does not map to either a user or group. "
"Skipping\n", member_dn);
}
}
}
}
/* Shrink the arrays down to their real sizes */
const char *, num_users + 1);
goto done;
}
const char *, num_groups + 1);
goto done;
}
done:
}
return ret;
}