From ba9ebfc49ab3bacb96213c8620411128c09f39da Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Jul 29 2016 12:44:51 +0000 Subject: LDAP: include email in UPN searches Reviewed-by: Jakub Hrozek --- diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c index 2fccc7e..f27759e 100644 --- a/src/providers/ldap/ldap_id.c +++ b/src/providers/ldap/ldap_id.c @@ -127,12 +127,22 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, break; case BE_FILTER_NAME: if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { - attr_name = ctx->opts->user_map[SDAP_AT_USER_PRINC].name; - ret = sss_filter_sanitize(state, filter_value, &clean_value); if (ret != EOK) { goto done; } + /* TODO: Do we have to check the attribute names more carefully? */ + user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s))", + ctx->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_value, + ctx->opts->user_map[SDAP_AT_USER_EMAIL].name, + clean_value); + talloc_zfree(clean_value); + if (user_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } } else { attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name; @@ -242,8 +252,8 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, goto done; } - if (attr_name == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name.\n"); + if (attr_name == NULL && user_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n"); ret = EINVAL; goto done; } diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index 17593f0..0a42b18 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -2736,13 +2736,25 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, break; case BE_FILTER_NAME: if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { - search_attr = state->opts->user_map[SDAP_AT_USER_PRINC].name; ret = sss_filter_sanitize(state, state->filter_value, &clean_name); if (ret != EOK) { talloc_zfree(req); return NULL; } + + state->user_base_filter = + talloc_asprintf(state, + "(&(|(%s=%s)(%s=%s))(objectclass=%s)", + state->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_name, + state->opts->user_map[SDAP_AT_USER_EMAIL].name, + clean_name, + state->opts->user_map[SDAP_OC_USER].name); + if (state->user_base_filter == NULL) { + talloc_zfree(req); + return NULL; + } } else { search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; @@ -2766,15 +2778,23 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, return NULL; } - state->user_base_filter = - talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", - search_attr, clean_name, - state->opts->user_map[SDAP_OC_USER].name); - if (!state->user_base_filter) { + if (search_attr == NULL && state->user_base_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n"); talloc_zfree(req); return NULL; } + if (state->user_base_filter == NULL) { + state->user_base_filter = + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", + search_attr, clean_name, + state->opts->user_map[SDAP_OC_USER].name); + if (!state->user_base_filter) { + talloc_zfree(req); + return NULL; + } + } + if (use_id_mapping) { /* When mapping IDs or looking for SIDs, we don't want to limit * ourselves to users with a UID value. But there must be a SID to map