Add support for searching policies in cn=accounts

Use the new multibase search to collect policies from multiple subtrees. The 'any' parameter is set to 'true' so the search stop when the first result is found in any of the bases. https://fedorahosted.org/freeipa/ticket/6568 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2024-12-23 07:33:27 -06:00 · 2016-12-16 07:13:58 -05:00 · 2016-12-16 07:13:58 -05:00 · 2e5cc369fd
commit 2e5cc369fd
parent 9f13b330aa
3 changed files with 17 additions and 6 deletions
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@ -50,6 +50,7 @@ static void ipadb_context_free(krb5_context kcontext,
        free((*ctx)->uri);
        free((*ctx)->base);
        free((*ctx)->realm_base);
+        free((*ctx)->accounts_base);
        free((*ctx)->kdc_hostname);
        /* ldap free lcontext */
        if ((*ctx)->lcontext) {
@ -554,6 +555,12 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
        goto fail;
    }

+    ret = asprintf(&ipactx->accounts_base, "cn=accounts,%s", ipactx->base);
+    if (ret == -1) {
+        ret = ENOMEM;
+        goto fail;
+    }
+
    ret = uname(&uname_data);
    if (ret) {
        ret = EINVAL;
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@ -101,6 +101,7 @@ struct ipadb_context {
    char *base;
    char *realm;
    char *realm_base;
+    char *accounts_base;
    char *kdc_hostname;
    LDAP *lcontext;
    krb5_context kcontext;
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@ -137,10 +137,11 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
                                     osa_policy_ent_t *policy)
 {
    struct ipadb_context *ipactx;
+    char *bases[3] = { NULL };
    char *esc_name = NULL;
    char *src_filter = NULL;
    krb5_error_code kerr;
-    LDAPMessage *res = NULL;
+    struct ipadb_multires *res;
    LDAPMessage *lentry;
    osa_policy_ent_t pentry = NULL;
    uint32_t result;
@ -150,6 +151,8 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
    if (!ipactx) {
        return KRB5_KDB_DBNOTINITED;
    }
+    bases[0] = ipactx->realm_base;
+    bases[1] = ipactx->accounts_base;

    esc_name = ipadb_filter_escape(name, true);
    if (!esc_name) {
@ -162,14 +165,14 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
        goto done;
    }

-    kerr = ipadb_simple_search(ipactx,
-                               ipactx->base, LDAP_SCOPE_SUBTREE,
-                               src_filter, std_pwdpolicy_attrs, &res);
+    kerr = ipadb_multibase_search(ipactx, bases, LDAP_SCOPE_SUBTREE,
+                                  src_filter, std_pwdpolicy_attrs, &res,
+                                  true);
    if (kerr) {
        goto done;
    }

-    lentry = ldap_first_entry(ipactx->lcontext, res);
+    lentry = ipadb_multires_next_entry(res);
    if (!lentry) {
        kerr = KRB5_KDB_INTERNAL_ERROR;
        goto done;
@ -252,7 +255,7 @@ done:
    }
    free(esc_name);
    free(src_filter);
-    ldap_msgfree(res);
+    ipadb_multires_free(res);

    return kerr;
 }