Fix extdom plugin to provide unqualified name in response as sssd expects

extdom plugin handles external operation over which SSSD asks IPA server about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.

SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully
qualified name which includes the domain name we are asked to handle.

The code already expects that fully-qualified names are following user@domain
convention so we are simply tracking whether '@' symbol is present and is followed
by the domain name.
This commit is contained in:
Alexander Bokovoy 2013-07-09 10:26:22 +03:00
parent fb62414e81
commit ad575f067c

View File

@ -48,6 +48,7 @@
#include "util.h"
#define MAX(a,b) (((a)>(b))?(a):(b))
#define SSSD_DOMAIN_SEPARATOR '@'
int parse_request_data(struct berval *req_val, struct extdom_req **_req)
{
@ -242,7 +243,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
goto done;
}
sep = strrchr(fq_name, '@');
sep = strrchr(fq_name, SSSD_DOMAIN_SEPARATOR);
if (sep == NULL) {
ret = LDAP_OPERATIONS_ERROR;
goto done;
@ -274,7 +275,8 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
domain_name = strdup(req->data.name.domain_name);
break;
case INP_NAME:
ret = asprintf(&fq_name, "%s@%s", req->data.name.object_name,
ret = asprintf(&fq_name, "%s%c%s", req->data.name.object_name,
SSSD_DOMAIN_SEPARATOR,
req->data.name.domain_name);
if (ret == -1) {
ret = LDAP_OPERATIONS_ERROR;
@ -339,6 +341,7 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
const char *domain_name, struct extdom_res **_res)
{
int ret = EFAULT;
char *locat = NULL;
struct extdom_res *res;
res = calloc(1, sizeof(struct extdom_res));
@ -355,10 +358,20 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
switch(id_type) {
case SSS_ID_TYPE_UID:
case SSS_ID_TYPE_BOTH:
if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = 0;
}
}
res->data.name.object_name =
strdup(pg_data->data.pwd.pw_name);
break;
case SSS_ID_TYPE_GID:
if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0) {
locat[0] = 0;
}
}
res->data.name.object_name =
strdup(pg_data->data.grp.gr_name);
break;
@ -394,6 +407,11 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
case SSS_ID_TYPE_BOTH:
res->response_type = RESP_USER;
res->data.user.domain_name = strdup(domain_name);
if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0) {
locat[0] = 0;
}
}
res->data.user.user_name =
strdup(pg_data->data.pwd.pw_name);
@ -409,6 +427,11 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
case SSS_ID_TYPE_GID:
res->response_type = RESP_GROUP;
res->data.group.domain_name = strdup(domain_name);
if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
if (strcasecmp(locat+1, domain_name) == 0) {
locat[0] = 0;
}
}
res->data.group.group_name =
strdup(pg_data->data.grp.gr_name);
@ -439,6 +462,10 @@ done:
free_resp_data(res);
}
if (locat != NULL) {
locat[0] = SSSD_DOMAIN_SEPARATOR;
}
return ret;
}