sdap_access.c revision 94a66f84bd3c28fcabffeb84c682dccf89d89c2b
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak Stephen Gallagher <sgallagh@redhat.com>
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak Copyright (C) 2010 Red Hat
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak This program is free software; you can redistribute it and/or modify
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak it under the terms of the GNU General Public License as published by
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen the Free Software Foundation; either version 3 of the License, or
2e545ce2450a9953665f701bb05350f0d3f26275nd (at your option) any later version.
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen This program is distributed in the hope that it will be useful,
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak but WITHOUT ANY WARRANTY; without even the implied warranty of
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak GNU General Public License for more details.
3f08db06526d6901aa08c110b5bc7dde6bc39905nd You should have received a copy of the GNU General Public License
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak along with this program. If not, see <http://www.gnu.org/licenses/>.
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniakstatic void sdap_access_reply(struct be_req *be_req, int pam_status)
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak pd = talloc_get_type(be_req->req_data, struct pam_data);
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak if (pam_status == PAM_SUCCESS || pam_status == PAM_PERM_DENIED) {
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx,
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar const char *username,
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic void sdap_access_filter_done(struct tevent_req *subreq);
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic struct tevent_req *sdap_account_expired_send(TALLOC_CTX *mem_ctx,
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic errno_t sdap_access_service_recv(struct tevent_req *req,
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic void sdap_access_service_done(struct tevent_req *subreq);
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic void sdap_account_expired_done(struct tevent_req *subreq);
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic errno_t sdap_access_host_recv(struct tevent_req *req,
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic void sdap_access_host_done(struct tevent_req *subreq);
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar talloc_get_type(breq->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
1f1b6bf13313fdd14a45e52e553d3ff28689b717coarstatic errno_t select_next_rule(struct tevent_req *req);
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx);
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar DEBUG(6, ("Performing access check for user [%s]\n", pd->user));
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar DEBUG(3, ("No access rules defined, access denied.\n"));
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak /* Get original user DN, take care of subdomain users as well */
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak if (strcasecmp(pd->domain, be_req->be_ctx->domain->name) != 0) {
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak user_dom = new_subdomain(state, be_req->be_ctx->domain, pd->domain,
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak DEBUG(SSSDBG_OP_FAILURE, ("new_subdomain failed.\n"));
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak /* If we can't find the user, return permission denied */
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak /* If we can't find the user, return permission denied */
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak DEBUG(1, ("Invalid response from sysdb_get_user_attr\n"));
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniakstatic errno_t select_next_rule(struct tevent_req *req)
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak switch (state->access_ctx->access_rule[state->current_rule]) {
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak subreq = sdap_access_filter_send(state, state->ev, state->be_req,
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak tevent_req_set_callback(subreq, sdap_access_filter_done, req);
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak subreq = sdap_account_expired_send(state, state->ev,
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak tevent_req_set_callback(subreq, sdap_account_expired_done, req);
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak subreq = sdap_access_service_send(state, state->ev,
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak tevent_req_set_callback(subreq, sdap_access_service_done, req);
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak tevent_req_set_callback(subreq, sdap_access_host_done, req);
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak DEBUG(1, ("Unexpected access rule type. Access denied.\n"));
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniakstatic void next_access_rule(struct tevent_req *req)
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak#define SHADOW_EXPIRE_MSG "Account expired according to shadow attributes"
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniakstatic errno_t sdap_account_expired_shadow(struct pam_data *pd,
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak const char *val;
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak DEBUG(6, ("Performing access shadow check for user [%s]\n", pd->user));
f21bea4c0f58e17aa1d9a0fac2c219852f89944amaczniak val = ldb_msg_find_attr_as_string(user_entry, SYSDB_SHADOWPW_EXPIRE, NULL);
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung "Access will be granted.\n"));
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh DEBUG(1, ("Failed to retrieve shadow expire date.\n"));
int err;
int *pam_status)
int ret;
sizeof(AD_DISABLE_MESSAGE),
sizeof(AD_EXPIRED_MESSAGE),
return EOK;
int *pam_status)
bool locked;
int ret;
if (locked) {
sizeof(RHDS_LOCK_MSG),
return EOK;
char *end;
exp_time_str));
tzset();
div_t q;
if (q.rem > 0) {
int *pam_status)
bool locked = true;
int ret;
const char *exp_time_str;
if (locked) {
sizeof(NDS_DISABLE_MSG),
NULL);
if (locked) {
sizeof(NDS_EXPIRED_MSG),
if (locked) {
sizeof(NDS_TIME_MAP_MSG),
return EOK;
struct sdap_account_expired_req_ctx {
int pam_status;
int ret;
const char *expire;
return NULL;
goto done;
goto done;
goto done;
goto done;
goto done;
goto done;
done:
return req;
return EOK;
struct sdap_access_filter_req_ctx {
const char *username;
const char *filter;
int pam_status;
bool cached_access;
char *basedn;
const char *username,
const char *basedn;
char *clean_username;
return NULL;
return req;
goto finished;
NULL);
goto failed;
goto failed;
goto failed;
goto failed;
goto failed;
goto failed;
return req;
return NULL;
return req;
int ret;
if (!subreq) {
return ret;
return EOK;
struct tevent_req);
NULL, 0,
bool found = false;
goto done;
found = false;
goto done;
goto done;
found = true;
if (found) {
goto done;
goto done;
goto done;
done:
return EOK;
struct sdap_access_service_ctx {
int pam_status;
char *service;
if (!req) {
return NULL;
sizeof(AUTHR_SRV_MISSING_MSG),
goto done;
sizeof(AUTHR_SRV_DENY_MSG),
goto done;
sizeof(AUTHR_SRV_NO_MATCH_MSG),
done:
return req;
int *pam_status)
return EOK;
struct sdap_access_host_ctx {
int pam_status;
char *host;
if (!req) {
return NULL;
goto done;
goto done;
done:
return req;
int *pam_status)
return EOK;
return EOK;