sssd/0129-overrides-add-certificates-to-mapped-attribute.patch
Lukas Slebodnik 7bddea6c90 Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication
Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with
                           file from package sssd-common-1.15.1-1.fc25.x86_64
Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4
2017-04-29 23:49:52 +02:00

102 lines
3.9 KiB
Diff

From 2e5fc89ef25434fab7febe2c52e97ef989b50d5b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Apr 2017 09:28:55 +0200
Subject: [PATCH 129/135] overrides: add certificates to mapped attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Certificates in overrides are explicitly used to map users to
certificates, so we add them to SYSDB_USER_MAPPED_CERT as well.
Resolves https://pagure.io/SSSD/sssd/issue/3373
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/db/sysdb_views.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 20db9b06183d68b33bb19f498513d7f5cf84b1cf..3773dda77e16b35fa217be0aa7974da7e34c09f4 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -777,6 +777,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
int ret;
TALLOC_CTX *tmp_ctx;
struct sysdb_attrs *attrs;
+ struct sysdb_attrs *mapped_attrs = NULL;
size_t c;
size_t d;
size_t num_values;
@@ -791,6 +792,7 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
SYSDB_USER_CERT,
NULL };
bool override_attrs_found = false;
+ bool is_cert = false;
if (override_attrs == NULL) {
/* nothing to do */
@@ -846,6 +848,24 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
num_values = 1;
}
+ is_cert = false;
+ if (strcmp(allowed_attrs[c], SYSDB_USER_CERT) == 0) {
+ /* Certificates in overrides are explicitly used to map
+ * users to certificates, so we add them to
+ * SYSDB_USER_MAPPED_CERT as well. */
+ is_cert = true;
+
+ if (mapped_attrs == NULL) {
+ mapped_attrs = sysdb_new_attrs(tmp_ctx);
+ if (mapped_attrs == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_new_attrs failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+ }
+
for (d = 0; d < num_values; d++) {
ret = sysdb_attrs_add_val(attrs, allowed_attrs[c],
&el->values[d]);
@@ -854,6 +874,18 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
"sysdb_attrs_add_val failed.\n");
goto done;
}
+
+ if (is_cert) {
+ ret = sysdb_attrs_add_val(mapped_attrs,
+ SYSDB_USER_MAPPED_CERT,
+ &el->values[d]);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_attrs_add_val failed.\n");
+ goto done;
+ }
+ }
+
DEBUG(SSSDBG_TRACE_ALL,
"Override [%s] with [%.*s] for [%s].\n",
allowed_attrs[c], (int) el->values[d].length,
@@ -878,6 +910,15 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain,
DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n");
goto done;
}
+
+ if (mapped_attrs != NULL) {
+ ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, mapped_attrs,
+ SYSDB_MOD_ADD);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_set_entry_attr failed, ignored.\n");
+ }
+ }
}
ret = EOK;
--
2.12.2