From 21513e51a4a2eb08f245333bf8f223713a3d7cb3 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Jun 09 2016 14:12:25 +0000 Subject: IPA: allow lookups by cert in sub-domains on the client Reviewed-by: Jakub Hrozek --- diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c index 0ff7d92..84f1c5a 100644 --- a/src/providers/ipa/ipa_s2n_exop.c +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -36,7 +36,8 @@ enum input_types { INP_SID = 1, INP_NAME, INP_POSIX_UID, - INP_POSIX_GID + INP_POSIX_GID, + INP_CERT }; enum request_types { @@ -354,11 +355,22 @@ static errno_t s2n_encode_request(TALLOC_CTX *mem_ctx, break; case BE_REQ_BY_SECID: if (req_input->type == REQ_INP_SECID) { - ret = ber_printf(ber, "{ees}", INP_SID, request_type, - req_input->inp.secid); + ret = ber_printf(ber, "{ees}", INP_SID, request_type, + req_input->inp.secid); } else { DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", - req_input->type == REQ_INP_ID); + req_input->type == REQ_INP_ID); + ret = EINVAL; + goto done; + } + break; + case BE_REQ_BY_CERT: + if (req_input->type == REQ_INP_CERT) { + ret = ber_printf(ber, "{ees}", INP_CERT, request_type, + req_input->inp.cert); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + req_input->type); ret = EINVAL; goto done; } @@ -1535,6 +1547,11 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) talloc_zfree(subreq); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "s2n exop request failed.\n"); + if (state->req_input->type == REQ_INP_CERT) { + DEBUG(SSSDBG_OP_FAILURE, + "Maybe the server does not support lookups by " + "certificates.\n"); + } goto done; } diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 23c3b7e..9eb841b 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -116,7 +116,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx, enum req_input_type { REQ_INP_NAME, REQ_INP_ID, - REQ_INP_SECID + REQ_INP_SECID, + REQ_INP_CERT }; struct req_input { @@ -125,6 +126,7 @@ struct req_input { const char *name; uint32_t id; const char *secid; + const char *cert; } inp; }; diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index e8dd824..665ff63 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -528,10 +528,23 @@ static void ipa_get_subdom_acct_connected(struct tevent_req *subreq) } break; case BE_FILTER_CERT: - DEBUG(SSSDBG_OP_FAILURE, "Lookup by certificate not supported yet.\n"); - state->dp_error = dp_error; - tevent_req_error(req, EINVAL); - return; + if (sdap_is_extension_supported(sdap_id_op_handle(state->op), + EXOP_SID2NAME_V1_OID)) { + req_input->type = REQ_INP_CERT; + req_input->inp.cert = talloc_strdup(req_input, state->filter); + if (req_input->inp.cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Lookup by certificate not supported by the server.\n"); + state->dp_error = DP_ERR_OK; + tevent_req_error(req, EINVAL); + return; + } + break; default: DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n"); state->dp_error = dp_error;