diff options
author | Simon Rettberg | 2017-12-13 17:04:17 +0100 |
---|---|---|
committer | Simon Rettberg | 2017-12-13 17:04:17 +0100 |
commit | b92ac97a8bb9cd3761e77c128e1daedd07fefcc7 (patch) | |
tree | bf608bb930dae96db323641c87ee5f44fd853a5d | |
parent | Always send empty search replies for unknown queries, fixes sssd sudo queries (diff) | |
download | ldadp-b92ac97a8bb9cd3761e77c128e1daedd07fefcc7.tar.gz ldadp-b92ac97a8bb9cd3761e77c128e1daedd07fefcc7.tar.xz ldadp-b92ac97a8bb9cd3761e77c128e1daedd07fefcc7.zip |
[proxy] More ugly hacks to support sssd for user names containing '@'
-rw-r--r-- | proxy.c | 41 |
1 files changed, 39 insertions, 2 deletions
@@ -25,9 +25,20 @@ typedef struct BOOL uidNumber; BOOL cn; BOOL realAccount; + BOOL bogusFieldName42; + BOOL bogusFieldName43; // Internal BOOL hasUser; } attr_t; +/* + * The bogus fields can be used to map two arbitrary additional fields + * to the uid when searching for a user. It's currently used to handle + * sssd being smart and doing lookups for krbPrincipalName and mail + * when the authenticating user's name contains '@' + * For this reason the sssd.conf contains (in the ldap section): + * ldap_user_email = bogusFieldName42 + * ldap_user_principal = bogusFieldName43 + */ typedef struct { @@ -51,6 +62,8 @@ static struct string s_homedirectory, s_gidnumber, s_uidnumber, s_memberof, s_di static struct string s_shadowAccount, s_posixAccount, s_posixGroup, s_3, s_1001, s_user, s_member; // Feature query static struct string s_namingContexts, s_supportedControl, s_supportedExtension, s_supportedFeatures, s_supportedLDAPVersion, s_lastUSN, s_highestCommittedUSN; +static struct string s_bogusFieldName42, s_bogusFieldName43; +static struct string s_bogusfieldname42, s_bogusfieldname43; // Other static struct string str_ADUSER, str_ADUSERDN; @@ -148,6 +161,10 @@ void proxy_init() SETSTR(uidnumber); SETSTR(memberof); SETSTR(distinguishedname); + SETSTR(bogusFieldName42); + SETSTR(bogusFieldName43); + SETSTR(bogusfieldname42); + SETSTR(bogusfieldname43); // TODO: configurable str_ADUSER.s = "ad_user"; str_ADUSER.l = strlen(str_ADUSER.s); @@ -555,6 +572,18 @@ static BOOL request_replaceAttribute(server_t *server, struct string *attribute, fixUnNumeric(value); } ////// ################### + } else if (iequals(attribute, &s_bogusfieldname42)) { + if (attr) { + attr->bogusFieldName42 = TRUE; + return FALSE; + } + *attribute = server->map.uid; + } else if (iequals(attribute, &s_bogusfieldname43)) { + if (attr) { + attr->bogusFieldName43 = TRUE; + return FALSE; + } + *attribute = server->map.uid; } else if (iequals(attribute, &s_homemount)) { *attribute = server->map.homemount; if (attr != NULL) attr->homeMount = TRUE; @@ -624,7 +653,7 @@ static void request_filterRequestedAttributes(struct AttributeDescriptionList ** const struct string * const str = &(*adl)->a; if (!(S_EQ(uid) || S_EQ(homemount) || S_EQ(memberuid) || S_EQ(realaccount) || S_EQ(objectclass) || S_EQ(homedirectory) || S_EQ(gidnumber) || S_EQ(uidnumber) || S_EQ(memberof) - || S_EQ(distinguishedname))) { + || S_EQ(distinguishedname) || S_EQ(bogusfieldname42) || S_EQ(bogusfieldname43))) { // Delete struct AttributeDescriptionList *next = (*adl)->next; free(*adl); @@ -707,6 +736,12 @@ static void response_replacePal(server_t *server, struct PartialAttributeList ** } ADDATTR(gecos, "%s,,,", user); ADDATTR(cn, "%s", user); + if (attr->bogusFieldName42) { + ADDATTR(bogusFieldName42, "%s", user); + } + if (attr->bogusFieldName43) { + ADDATTR(bogusFieldName43, "%s", user); + } if (wasNumeric) user++; // From here on, user is the real AD/ldap username, no leading 's' if (attr->homeMount && server->homeTemplate[0] != '\0') { ADDATTR(homeMount, server->homeTemplate, user, user, user, user, user, user); @@ -861,6 +896,8 @@ static BOOL proxy_clientSearchRequest(epoll_client_t *client, const unsigned lon if (_debugLevel >= DEBUG_TRACE) { printf("[Client] Search request (original): "); helper_printfilter(req.filter); + printf("[Client] Wanted attributes: "); + helper_printal(req.attributes); } if (req.sizeLimit == 0 || req.sizeLimit > 20) req.sizeLimit = 20; // TODO: Magic value pending_t *pending = proxy_getFreePendingSlot(client); @@ -888,7 +925,7 @@ static BOOL proxy_clientSearchRequest(epoll_client_t *client, const unsigned lon if (_debugLevel >= DEBUG_TRACE) { printf("[Client] Search request (translated): "); helper_printfilter(req.filter); - printf("Wanted attributes: "); + printf("[Client] Wanted attributes: "); helper_printal(req.attributes); } pending->clientMessageId = messageId; |