From 7b5faaf3ccdfb733dc23ab908c9c2e4643df792a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 23 Feb 2011 16:25:19 +0100 Subject: [PATCH] Use realm for basedn instead of IPA domain https://fedorahosted.org/sssd/ticket/807 --- src/providers/ipa/ipa_access.c | 11 +++++---- src/providers/ipa/ipa_auth.c | 14 ++++++------ src/providers/ipa/ipa_common.c | 46 ++++++++++++++++++++-------------------- 3 files changed, 36 insertions(+), 35 deletions(-) diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 02b0a77..a3a5493 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -61,20 +61,22 @@ #define HBAC_SERVICES_SUBDIR "hbac_services" static char *get_hbac_search_base(TALLOC_CTX *mem_ctx, - struct dp_option *ipa_options) + struct hbac_ctx *hbac_ctx) { char *base; int ret; + struct dp_option *sdap_options; - base = dp_opt_get_string(ipa_options, IPA_HBAC_SEARCH_BASE); + base = dp_opt_get_string(hbac_ctx->ipa_options, IPA_HBAC_SEARCH_BASE); if (base != NULL) { return talloc_strdup(mem_ctx, base); } DEBUG(9, ("ipa_hbac_search_base not available, trying base DN.\n")); + sdap_options = hbac_ctx_sdap_id_ctx(hbac_ctx)->opts->basic; ret = domain_to_basedn(mem_ctx, - dp_opt_get_string(ipa_options, IPA_DOMAIN), + dp_opt_get_string(sdap_options, SDAP_KRB5_REALM), &base); if (ret != EOK) { DEBUG(1, ("domain_to_basedn failed.\n")); @@ -1674,8 +1676,7 @@ void ipa_access_handler(struct be_req *be_req) hbac_ctx->sdap_ctx = ipa_access_ctx->sdap_ctx; hbac_ctx->ipa_options = ipa_access_ctx->ipa_options; hbac_ctx->tr_ctx = ipa_access_ctx->tr_ctx; - hbac_ctx->hbac_search_base = get_hbac_search_base(hbac_ctx, - hbac_ctx->ipa_options); + hbac_ctx->hbac_search_base = get_hbac_search_base(hbac_ctx, hbac_ctx); if (hbac_ctx->hbac_search_base == NULL) { DEBUG(1, ("No HBAC search base found.\n")); goto fail; diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index eb7f291..ff9d561 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -46,7 +46,7 @@ struct get_password_migration_flag_state { struct sdap_handle *sh; enum sdap_result result; struct fo_server *srv; - char *ipa_domain; + char *ipa_realm; bool password_migration; }; @@ -56,13 +56,13 @@ static void get_password_migration_flag_done(struct tevent_req *subreq); static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, struct tevent_context *ev, struct sdap_auth_ctx *sdap_auth_ctx, - char *ipa_domain) + char *ipa_realm) { int ret; struct tevent_req *req, *subreq; struct get_password_migration_flag_state *state; - if (sdap_auth_ctx == NULL || ipa_domain == NULL) { + if (sdap_auth_ctx == NULL || ipa_realm == NULL) { DEBUG(1, ("Missing parameter.\n")); return NULL; } @@ -80,7 +80,7 @@ static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, state->result = SDAP_ERROR; state->srv = NULL; state->password_migration = false; - state->ipa_domain = ipa_domain; + state->ipa_realm = ipa_realm; /* We request to use StartTLS here, because if password migration is * enabled we will use this connection for authentication, too. */ @@ -126,7 +126,7 @@ static void get_password_migration_flag_auth_done(struct tevent_req *subreq) return; } - ret = domain_to_basedn(state, state->ipa_domain, &ldap_basedn); + ret = domain_to_basedn(state, state->ipa_realm, &ldap_basedn); if (ret != EOK) { DEBUG(1, ("domain_to_basedn failed.\n")); tevent_req_error(req, ret); @@ -310,8 +310,8 @@ static void ipa_auth_handler_done(struct tevent_req *req) req = get_password_migration_flag_send(state, state->ev, state->ipa_auth_ctx->sdap_auth_ctx, dp_opt_get_string( - state->ipa_auth_ctx->ipa_options, - IPA_DOMAIN)); + state->ipa_auth_ctx->sdap_auth_ctx->opts->basic, + SDAP_KRB5_REALM)); if (req == NULL) { DEBUG(1, ("get_password_migration_flag failed.\n")); goto done; diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 397e418..c759699 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -272,8 +272,30 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, goto done; } + /* set krb realm */ + if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM)) { + realm = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN); + value = talloc_strdup(tmpctx, realm); + if (value == NULL) { + DEBUG(1, ("talloc_strdup failed.\n")); + ret = ENOMEM; + goto done; + } + for (i = 0; value[i]; i++) { + value[i] = toupper(value[i]); + } + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_KRB5_REALM, value); + if (ret != EOK) { + goto done; + } + DEBUG(6, ("Option %s set to %s\n", + ipa_opts->id->basic[SDAP_KRB5_REALM].opt_name, + dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM))); + } + ret = domain_to_basedn(tmpctx, - dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN), + dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM), &basedn); if (ret != EOK) { goto done; @@ -317,28 +339,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_AUTHID))); } - /* set krb realm */ - if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM)) { - realm = dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN); - value = talloc_strdup(tmpctx, realm); - if (value == NULL) { - DEBUG(1, ("talloc_strdup failed.\n")); - ret = ENOMEM; - goto done; - } - for (i = 0; value[i]; i++) { - value[i] = toupper(value[i]); - } - ret = dp_opt_set_string(ipa_opts->id->basic, - SDAP_KRB5_REALM, value); - if (ret != EOK) { - goto done; - } - DEBUG(6, ("Option %s set to %s\n", - ipa_opts->id->basic[SDAP_KRB5_REALM].opt_name, - dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM))); - } - /* fix schema to IPAv1 for now */ ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1; -- 1.7.4