providers/ldap/sdap_ad_groups.c

bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik/*
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    SSSD
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    AD groups helper routines
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    Authors:
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        Lukas Slebodnik <lslebodn@redhat.com>
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    Copyright (C) 2013 Red Hat
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    This program is free software; you can redistribute it and/or modify
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    it under the terms of the GNU General Public License as published by
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    the Free Software Foundation; either version 3 of the License, or
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    (at your option) any later version.
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    This program is distributed in the hope that it will be useful,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    but WITHOUT ANY WARRANTY; without even the implied warranty of
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    GNU General Public License for more details.
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    You should have received a copy of the GNU General Public License
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    along with this program.  If not, see <http://www.gnu.org/licenses/>.
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik*/
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik#include "db/sysdb.h"
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik#include "providers/ldap/sdap.h"
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik#include "providers/ldap/sdap_async_private.h"
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik/* ==Group-Parsing Routines=============================================== */
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnikerrno_t sdap_check_ad_group_type(struct sss_domain_info *dom,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                                 struct sdap_options *opts,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                                 struct sysdb_attrs *group_attrs,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                                 const char *group_name,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                                 bool *_need_filter)
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik{
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    int32_t ad_group_type;
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    errno_t ret = EOK;
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    *_need_filter = false;
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    if (opts->schema_type == SDAP_SCHEMA_AD) {
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                                      &ad_group_type);
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        if (ret != EOK) {
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik            DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n");
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik            return ret;
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        }
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        DEBUG(SSSDBG_TRACE_ALL,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik              "AD group [%s] has type flags %#x.\n",
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik              group_name, ad_group_type);
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        /* Only security groups from AD are considered for POSIX groups.
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik         * Additionally only global and universal group are taken to account
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik         * for trusted domains. */
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY)
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik            || (IS_SUBDOMAIN(dom)
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL)
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                      || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) {
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik            DEBUG(SSSDBG_TRACE_FUNC,
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik                  "Filtering AD group [%s].\n", group_name);
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik            *_need_filter = true;
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik        }
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    }
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik    return ret;
bad2fc8133d941e5a6c8d8016c9689e039265c61Lukas Slebodnik}