From adc9609ff32c680b07ecfaa4c88d71898d7829c9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 12 Jan 2023 12:40:14 +0200
Subject: [PATCH] ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN
 subtree only

Confine search for S4U2Proxy access control lists to the subtree where
they created. This will allow to use a similar method to describe RBCD
access controls.

Related: https://pagure.io/freeipa/issue/5444

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_delegation.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c
index de82174ad..212046e01 100644
--- a/daemons/ipa-kdb/ipa_kdb_delegation.c
+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c
@@ -42,7 +42,7 @@ static krb5_error_code ipadb_get_delegation_acl(krb5_context kcontext,
 {
     struct ipadb_context *ipactx;
     krb5_error_code kerr;
-    char *filter = NULL;
+    char *filter = NULL, *basedn = NULL;
     int ret;
 
     ipactx = ipadb_get_context(kcontext);
@@ -58,12 +58,20 @@ static krb5_error_code ipadb_get_delegation_acl(krb5_context kcontext,
         goto done;
     }
 
+    ret = asprintf(&basedn,
+                   "cn=s4u2proxy,cn=etc,%s", ipactx->base);
+    if (ret == -1) {
+        kerr = ENOMEM;
+        goto done;
+    }
+
     /* == Search ACL info == */
-    kerr = ipadb_deref_search(ipactx, ipactx->base,
+    kerr = ipadb_deref_search(ipactx, basedn,
                               LDAP_SCOPE_SUBTREE, filter, acl_attrs,
                               search_attrs, acl_attrs, results);
 
 done:
+    free(basedn);
     free(filter);
     return kerr;
 }