ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only

Confine search for S4U2Proxy access control lists to the subtree where they created. This will allow to use a similar method to describe RBCD access controls. Related: https://pagure.io/freeipa/issue/5444 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-01-12 12:40:14 +02:00 · 2023-01-12 12:40:14 +02:00 · adc9609ff3
commit adc9609ff3
parent 9b777390fb
1 changed files with 10 additions and 2 deletions
--- a/daemons/ipa-kdb/ipa_kdb_delegation.c
+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c
@ -42,7 +42,7 @@ static krb5_error_code ipadb_get_delegation_acl(krb5_context kcontext,
 {
    struct ipadb_context *ipactx;
    krb5_error_code kerr;
-    char *filter = NULL;
+    char *filter = NULL, *basedn = NULL;
    int ret;

    ipactx = ipadb_get_context(kcontext);
@ -58,12 +58,20 @@ static krb5_error_code ipadb_get_delegation_acl(krb5_context kcontext,
        goto done;
    }

+    ret = asprintf(&basedn,
+                   "cn=s4u2proxy,cn=etc,%s", ipactx->base);
+    if (ret == -1) {
+        kerr = ENOMEM;
+        goto done;
+    }
+
    /* == Search ACL info == */
-    kerr = ipadb_deref_search(ipactx, ipactx->base,
+    kerr = ipadb_deref_search(ipactx, basedn,
                              LDAP_SCOPE_SUBTREE, filter, acl_attrs,
                              search_attrs, acl_attrs, results);

 done:
+    free(basedn);
    free(filter);
    return kerr;
 }