[SSSD] [PATCH] LDAP: Try also the AD access control for IPA users

Wed, 11 May 2016 02:58:41 -0700 

Hi,

the attached patch implements Sumit's idea to solve
https://fedorahosted.org/sssd/ticket/2927

The user who reported the bug confirmed that the patch works. As an
additional improvement, they requested that these results should not be
considered when the cache expires, but immediatelly. But honestly I
don't know if and how this could be solved (we would need to fetch this
attribute always on initgroups on both client and server..) so I would
prefer additional ticket and merge this patch first.

>From 01598f563378f8cf85e7a7fb0c29e7bf32518c3f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Fri, 22 Apr 2016 18:32:26 +0200
Subject: [PATCH] LDAP: Try also the AD access control for IPA users

Resolves:
    https://fedorahosted.org/sssd/ticket/2927

If a user from an AD trusted domain is logging in, we should also check
their AD lockout status. This helps cases where the user might have been
disabled but is logging in with an SSH public key.
---
 src/providers/ldap/sdap_access.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 
3ef45b717787058ec61c4d6875cb41bb2e8195fc..14ec34508636c19b288a57cd305d874705bdb842
 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -741,6 +741,21 @@ static errno_t sdap_account_expired(struct sdap_access_ctx 
*access_ctx,
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "sdap_account_expired_rhds failed.\n");
             }
+
+            if (ret == EOK &&
+                    strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0) {
+                DEBUG(SSSDBG_TRACE_FUNC,
+                      "IPA access control succeeded, checking AD "
+                      "access control\n");
+                ret = sdap_account_expired_ad(pd, user_entry);
+                if (ret == ERR_ACCOUNT_EXPIRED || ret == ERR_ACCESS_DENIED) {
+                    DEBUG(SSSDBG_TRACE_FUNC,
+                        "sdap_account_expired_ad: %s.\n", sss_strerror(ret));
+                } else if (ret != EOK) {
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          "sdap_account_expired_ad failed.\n");
+                }
+            }
         } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) {
             ret = sdap_account_expired_nds(pd, user_entry);
             if (ret == ERR_ACCESS_DENIED) {
-- 
2.4.11


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org

Reply via email to