From 9745955dc16be996de938667d6ece16b3d48f113 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 22 Apr 2016 17:56:05 +0200 Subject: [PATCH 10/12] IPA: allow lookups by cert in sub-domains on the client --- src/providers/ipa/ipa_s2n_exop.c | 18 +++++++++++++++++- src/providers/ipa/ipa_subdomains.h | 4 +++- src/providers/ipa/ipa_subdomains_id.c | 21 +++++++++++++++++---- 3 files changed, 37 insertions(+), 6 deletions(-) diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index b6136befaa78ac30e7bf2ca52ef1875e16a74304..bdbe8ea9ff851a83d6b76fd3cd745218cc270820 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -36,7 +36,8 @@ enum input_types { INP_SID = 1, INP_NAME, INP_POSIX_UID, - INP_POSIX_GID + INP_POSIX_GID, + INP_CERT }; enum request_types { @@ -363,6 +364,17 @@ static errno_t s2n_encode_request(TALLOC_CTX *mem_ctx, goto done; } break; + case BE_REQ_BY_CERT: + if (req_input->type == REQ_INP_CERT) { + ret = ber_printf(ber, "{ees}", INP_CERT, request_type, + req_input->inp.cert); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + req_input->type); + ret = EINVAL; + goto done; + } + break; default: ret = EINVAL; goto done; @@ -1535,6 +1547,10 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) talloc_zfree(subreq); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "s2n exop request failed.\n"); + if (state->req_input->type == REQ_INP_CERT) { + DEBUG(SSSDBG_OP_FAILURE, + "Maybe the server does not support lookups by certificates.\n"); + } goto done; } diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 23c3b7e3cd3ee1e0ac1dbcf98dc71a6c2337b835..9eb841b027041feb70149ad76a3992a28da7bc36 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -116,7 +116,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx, enum req_input_type { REQ_INP_NAME, REQ_INP_ID, - REQ_INP_SECID + REQ_INP_SECID, + REQ_INP_CERT }; struct req_input { @@ -125,6 +126,7 @@ struct req_input { const char *name; uint32_t id; const char *secid; + const char *cert; } inp; }; diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index e8dd82446f58afc5dfd439ce88cb2b5741c9f100..665ff635b878370d92590c99a132b0ab14fbada6 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -528,10 +528,23 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq) } break; case BE_FILTER_CERT: - DEBUG(SSSDBG_OP_FAILURE, "Lookup by certificate not supported yet.\n"); - state->dp_error = dp_error; - tevent_req_error(req, EINVAL); - return; + if (sdap_is_extension_supported(sdap_id_op_handle(state->op), + EXOP_SID2NAME_V1_OID)) { + req_input->type = REQ_INP_CERT; + req_input->inp.cert = talloc_strdup(req_input, state->filter); + if (req_input->inp.cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Lookup by certificate not supported by the server.\n"); + state->dp_error = DP_ERR_OK; + tevent_req_error(req, EINVAL); + return; + } + break; default: DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n"); state->dp_error = dp_error; -- 2.1.0