From 588f8fbe74e66cc015f185a5b798173d320a65b5 Mon Sep 17 00:00:00 2001 From: Yassir Elley Date: Jul 01 2014 09:29:12 +0000 Subject: AD-GPO: Add support for gpo permissive mode Reviewed-by: Sumit Bose --- diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 02387f4..32ef852 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -32,6 +32,7 @@ */ #include +#include #include "util/util.h" #include "util/strtonum.h" #include "util/child_common.h" @@ -724,6 +725,7 @@ check_rights(char **privilege_sids, */ static errno_t ad_gpo_access_check(TALLOC_CTX *mem_ctx, + enum gpo_access_control_mode gpo_mode, const char *user, struct sss_domain_info *domain, char **allowed_sids, @@ -786,7 +788,19 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx, if (access_granted && !access_denied) { return EOK; } else { - return EACCES; + switch (gpo_mode) { + case GPO_ACCESS_CONTROL_ENFORCING: + return EACCES; + case GPO_ACCESS_CONTROL_PERMISSIVE: + DEBUG(SSSDBG_TRACE_FUNC, "access denied: permissive mode\n"); + sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " \ + "have been denied GPO-based logon access if the " \ + "ad_gpo_access_control option were set to enforcing " \ + "mode."); + return EOK; + default: + return EINVAL; + } } done: @@ -836,6 +850,7 @@ struct ad_gpo_access_state { int timeout; struct sss_domain_info *domain; const char *user; + enum gpo_access_control_mode gpo_mode; const char *ad_hostname; const char *target_dn; struct gp_gpo **dacl_filtered_gpos; @@ -885,6 +900,7 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->user = user; state->ldb_ctx = sysdb_ctx_get_ldb(domain->sysdb); + state->gpo_mode = ctx->gpo_access_control_mode; state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME); state->opts = ctx->sdap_access_ctx->id_ctx->opts; state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); @@ -1340,7 +1356,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) /* TBD: allowed/denied_sids/size, should be retrieved from cache */ ret = ad_gpo_access_check - (state, state->user, state->domain, + (state, state->gpo_mode, state->user, state->domain, allowed_sids, allowed_size, denied_sids, denied_size); if (ret != EOK) { diff --git a/src/util/sss_log.c b/src/util/sss_log.c index b6b9227..7a2dce6 100644 --- a/src/util/sss_log.c +++ b/src/util/sss_log.c @@ -57,9 +57,18 @@ static int sss_to_syslog(int priority) } } +void sss_log(int priority, const char *format, ...) +{ + va_list ap; + + va_start(ap, format); + sss_log_ext(priority, LOG_DAEMON, format, ap); + va_end(ap); +} + #ifdef WITH_JOURNALD -void sss_log(int priority, const char *format, ...) +void sss_log_ext(int priority, int facility, const char *format, ...) { va_list ap; int syslog_priority; @@ -85,7 +94,7 @@ void sss_log(int priority, const char *format, ...) sd_journal_send("MESSAGE=%s", message, "SSSD_DOMAIN=%s", domain, "PRIORITY=%i", syslog_priority, - "SYSLOG_FACILITY=%i", LOG_FAC(LOG_DAEMON), + "SYSLOG_FACILITY=%i", LOG_FAC(facility), "SYSLOG_IDENTIFIER=%s", debug_prg_name, NULL); @@ -94,14 +103,14 @@ void sss_log(int priority, const char *format, ...) #else /* WITH_JOURNALD */ -void sss_log(int priority, const char *format, ...) +void sss_log_ext(int priority, int facility, const char *format, ...) { va_list ap; int syslog_priority; syslog_priority = sss_to_syslog(priority); - openlog(debug_prg_name, 0, LOG_DAEMON); + openlog(debug_prg_name, 0, facility); va_start(ap, format); vsyslog(syslog_priority, format, ap); diff --git a/src/util/util.h b/src/util/util.h index af2a578..5c02c33 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -217,6 +217,7 @@ void talloc_log_fn(const char *msg); #define SSS_LOG_DEBUG 7 /* debug-level messages */ void sss_log(int priority, const char *format, ...) SSS_ATTRIBUTE_PRINTF(2, 3); +void sss_log_ext(int priority, int facility, const char *format, ...) SSS_ATTRIBUTE_PRINTF(3, 4); /* from server.c */ struct main_context {