Skip to content

Commit

Permalink
AD: Detect and ignore (for now) Foreign Security Principals
Browse files Browse the repository at this point in the history
  • Loading branch information
ondrejv2 committed Oct 28, 2024
1 parent 6afcc0b commit 8a749dd
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 4 deletions.
1 change: 1 addition & 0 deletions src/db/sysdb.h
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@
#define SYSDB_DOMAIN_ID_RANGE_CLASS "domainIDRange"
#define SYSDB_TRUSTED_AD_DOMAIN_RANGE_CLASS "TrustedADDomainRange"
#define SYSDB_CERTMAP_CLASS "certificateMappingRule"
#define SYSDB_AD_FSP_CLASS "foreignSecurityPrincipal"

#define SYSDB_DN "dn"
#define SYSDB_NAME "name"
Expand Down
34 changes: 30 additions & 4 deletions src/providers/ldap/sdap_async_nested_groups.c
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,33 @@ static errno_t
sdap_nested_group_hash_user(struct sdap_nested_group_ctx *group_ctx,
struct sysdb_attrs *user)
{
errno_t ret;
const char *val = NULL;
const char **val_list = NULL;

ret = sysdb_attrs_get_string_array(user, SYSDB_OBJECTCLASS, group_ctx, &val_list);
if (ret == EOK) {
/* if called from sdap_nested_group_single_step_process(), then we have objectclass
* and uid attrs so we can test for Foreign Security principals */
if (string_in_list(SYSDB_AD_FSP_CLASS, discard_const(val_list), false)) {
/* TODO: handle Foreign Security Principal here
* since we don't know how to do it now, then we skip them for now */
sysdb_attrs_get_string(user, SYSDB_ORIG_DN, &val);
DEBUG(SSSDBG_TRACE_ALL, "Ignoring Foreign Principal %s\n",val);
talloc_free(val_list);
return EOK;
}
talloc_free(val_list);

ret = sysdb_attrs_get_string(user, group_ctx->opts->user_map[SDAP_AT_USER_NAME].name, &val);
if (ret != EOK) {
DEBUG(SSSDBG_TRACE_ALL, "Unable to get username for %s\n",val);
return ret;
}
/* we need to populate the sys_name in the user map so the user is recognized later on */
sysdb_attrs_add_string(user, group_ctx->opts->user_map[SDAP_AT_USER_NAME].sys_name, val);
}

return sdap_nested_group_hash_entry(group_ctx->users, user, "users");
}

Expand Down Expand Up @@ -1895,8 +1922,8 @@ sdap_nested_group_lookup_user_send(TALLOC_CTX *mem_ctx,
attrs[2] = NULL;

/* create filter */
base_filter = talloc_asprintf(state, "(objectclass=%s)",
group_ctx->opts->user_map[SDAP_OC_USER].name);
base_filter = talloc_asprintf(state, "(|(objectclass=%s)(objectclass=%s))",
group_ctx->opts->user_map[SDAP_OC_USER].name,SYSDB_AD_FSP_CLASS);
if (base_filter == NULL) {
ret = ENOMEM;
goto immediately;
Expand All @@ -1912,8 +1939,7 @@ sdap_nested_group_lookup_user_send(TALLOC_CTX *mem_ctx,
/* search */
subreq = sdap_get_generic_send(state, ev, group_ctx->opts, group_ctx->sh,
member->dn, LDAP_SCOPE_BASE, filter, attrs,
group_ctx->opts->user_map,
group_ctx->opts->user_map_cnt,
NULL, 0,
dp_opt_get_int(group_ctx->opts->basic,
SDAP_SEARCH_TIMEOUT),
false);
Expand Down

0 comments on commit 8a749dd

Please sign in to comment.