Implemented support for multiple search bases in HBAC rules and services

SSSD · Feb 6, 2012 · 71ad247 · 71ad247
1 parent 8a36504
commit 71ad247
Show file tree

Hide file tree

Showing 10 changed files with 365 additions and 116 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -1067,6 +1067,7 @@ libsss_ipa_la_SOURCES = \
     src/providers/ipa/ipa_hbac_hosts.c \
     src/providers/ipa/ipa_hbac_private.h \
     src/providers/ipa/ipa_hbac_rules.c \
+    src/providers/ipa/ipa_hbac_rules.h \
     src/providers/ipa/ipa_hbac_services.c \
     src/providers/ipa/ipa_hbac_users.c \
     src/providers/ipa/ipa_hbac_common.c \

diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
@@ -31,30 +31,7 @@
 #include "providers/ipa/ipa_access.h"
 #include "providers/ipa/ipa_hbac.h"
 #include "providers/ipa/ipa_hbac_private.h"
-
-static char *get_hbac_search_base(TALLOC_CTX *mem_ctx,
-                                  struct dp_option *ipa_options)
-{
-    char *base;
-    int ret;
-
-    base = dp_opt_get_string(ipa_options, IPA_HBAC_SEARCH_BASE);
-    if (base != NULL) {
-        return talloc_strdup(mem_ctx, base);
-    }
-
-    DEBUG(9, ("ipa_hbac_search_base not available, trying base DN.\n"));
-
-    ret = domain_to_basedn(mem_ctx,
-                           dp_opt_get_string(ipa_options, IPA_KRB5_REALM),
-                           &base);
-    if (ret != EOK) {
-        DEBUG(1, ("domain_to_basedn failed.\n"));
-        return NULL;
-    }
-
-    return base;
-}
+#include "providers/ipa/ipa_hbac_rules.h"
 
 static void ipa_access_reply(struct hbac_ctx *hbac_ctx, int pam_status)
 {
@@ -119,9 +96,8 @@ void ipa_access_handler(struct be_req *be_req)
     hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx;
     hbac_ctx->ipa_options = ipa_access_ctx->ipa_options;
     hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx;
-    hbac_ctx->hbac_search_base = get_hbac_search_base(hbac_ctx,
-                                                      hbac_ctx->ipa_options);
-    if (hbac_ctx->hbac_search_base == NULL) {
+    hbac_ctx->search_bases = ipa_access_ctx->hbac_search_bases;
+    if (hbac_ctx->search_bases == NULL) {
         DEBUG(1, ("No HBAC search base found.\n"));
         goto fail;
     }
@@ -334,7 +310,7 @@ static void hbac_get_service_info_step(struct tevent_req *req)
                                     hbac_ctx_sysdb(hbac_ctx),
                                     sdap_id_op_handle(hbac_ctx->sdap_op),
                                     hbac_ctx_sdap_id_ctx(hbac_ctx)->opts,
-                                    hbac_ctx->hbac_search_base);
+                                    hbac_ctx->search_bases);
     if (req == NULL) {
         DEBUG(1,("Could not get service info\n"));
         goto fail;
@@ -399,7 +375,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
                                   hbac_ctx_ev(hbac_ctx),
                                   sdap_id_op_handle(hbac_ctx->sdap_op),
                                   hbac_ctx_sdap_id_ctx(hbac_ctx)->opts,
-                                  hbac_ctx->hbac_search_base,
+                                  hbac_ctx->search_bases,
                                   hbac_ctx->ipa_host);
     if (req == NULL) {
         DEBUG(1, ("Could not get rules\n"));

diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h
@@ -46,6 +46,7 @@ struct ipa_access_ctx {
     time_t last_update;
 
     struct sdap_search_base **host_search_bases;
+    struct sdap_search_base **hbac_search_bases;
 };
 
 struct hbac_ctx {
@@ -57,7 +58,7 @@ struct hbac_ctx {
     struct be_req *be_req;
     struct pam_data *pd;
 
-    char *hbac_search_base;
+    struct sdap_search_base **search_bases;
 
     /* Hosts */
     size_t host_count;

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
@@ -572,7 +572,7 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
             goto done;
         }
 
-        DEBUG(6, ("Option %s set to %s\n",
+        DEBUG(SSSDBG_CONF_SETTINGS, ("Option %s set to %s\n",
                   ipa_opts->basic[IPA_HOST_SEARCH_BASE].opt_name,
                   dp_opt_get_string(ipa_opts->basic,
                                     IPA_HOST_SEARCH_BASE)));
@@ -582,6 +582,29 @@ int ipa_get_id_options(struct ipa_options *ipa_opts,
                                  &ipa_opts->host_search_bases);
     if (ret != EOK) goto done;
 
+    if (NULL == dp_opt_get_string(ipa_opts->basic,
+                                  IPA_HBAC_SEARCH_BASE)) {
+        value = talloc_asprintf(tmpctx, "cn=hbac,%s", basedn);
+        if (!value) {
+            ret = ENOMEM;
+            goto done;
+        }
+
+        ret = dp_opt_set_string(ipa_opts->basic, IPA_HBAC_SEARCH_BASE, value);
+        if (ret != EOK) {
+            goto done;
+        }
+
+        DEBUG(6, ("Option %s set to %s\n",
+                  ipa_opts->basic[IPA_HBAC_SEARCH_BASE].opt_name,
+                  dp_opt_get_string(ipa_opts->basic,
+                                    IPA_HBAC_SEARCH_BASE)));
+    }
+    ret = sdap_parse_search_base(ipa_opts->basic, ipa_opts->basic,
+                                 IPA_HBAC_SEARCH_BASE,
+                                 &ipa_opts->hbac_search_bases);
+    if (ret != EOK) goto done;
+
     value = dp_opt_get_string(ipa_opts->id->basic, SDAP_DEREF);
     if (value != NULL) {
         ret = deref_string_to_val(value, &i);

diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
@@ -98,6 +98,7 @@ struct ipa_options {
     struct dp_option *basic;
 
     struct sdap_search_base **host_search_bases;
+    struct sdap_search_base **hbac_search_bases;
     struct ipa_service *service;
 
     /* id provider */

diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
@@ -144,7 +144,7 @@ ipa_hbac_service_info_send(TALLOC_CTX *mem_ctx,
                            struct sysdb_ctx *sysdb,
                            struct sdap_handle *sh,
                            struct sdap_options *opts,
-                           const char *search_base);
+                           struct sdap_search_base **search_bases);
 
 errno_t
 ipa_hbac_service_info_recv(struct tevent_req *req,
@@ -166,22 +166,6 @@ get_ipa_servicegroupname(TALLOC_CTX *mem_ctx,
                          const char *service_dn,
                          char **servicename);
 
-/* From ipa_hbac_rules.c */
-struct tevent_req *
-ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
-                        bool get_deny_rules,
-                        struct tevent_context *ev,
-                        struct sdap_handle *sh,
-                        struct sdap_options *opts,
-                        const char *search_base,
-                        struct sysdb_attrs *ipa_host);
-
-errno_t
-ipa_hbac_rule_info_recv(struct tevent_req *req,
-                        TALLOC_CTX *mem_ctx,
-                        size_t *rule_count,
-                        struct sysdb_attrs ***rules);
-
 /* From ipa_hbac_users.c */
 errno_t
 hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx,