[Freeipa-devel] [PATCH] 0156 extdom: add certificate request
Sumit Bose
sbose at redhat.com
Fri May 20 19:23:46 UTC 2016
Hi,
this patch allows the extom plugin to lookup users by certificate which
is needed in the case where a IPA client wants to lookup an AD user who
has the certificate stored in AD. To make this work the related patches
I just send to sssd-devel are needed as well.
Currently the patches miss the change in the required version of SSSD.
since the SSSD patches are not committed. But the patches are needed to
fully test the SSSD patches. I will send a new version with the needed
changes to the minimal SSSD version when the SSSD patches are committed.
bye,
Sumit
-------------- next part --------------
From b7b84fb4192af70e784c4cee18ff4be532d0f83f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Tue, 26 Apr 2016 13:22:40 +0200
Subject: [PATCH] extdom: add certificate request
Related to https://fedorahosted.org/freeipa/ticket/4955
---
.../ipa-extdom-extop/ipa_extdom.h | 4 ++-
.../ipa-extdom-extop/ipa_extdom_common.c | 31 +++++++++++++++++-----
2 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index a77711977186b702caafa2729dc13090c6031791..aa7855650789448ae4220b33cc2de858883fe302 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -80,7 +80,8 @@ enum input_types {
INP_SID = 1,
INP_NAME,
INP_POSIX_UID,
- INP_POSIX_GID
+ INP_POSIX_GID,
+ INP_CERT
};
enum request_types {
@@ -115,6 +116,7 @@ struct extdom_req {
char *domain_name;
gid_t gid;
} posix_gid;
+ char *cert;
} data;
char *err_msg;
};
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 823c05c810361f121cb46831fb2d4e846729d792..e629247fd771e374d50486d836cd3b0d8d32a78a 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -349,6 +349,9 @@ int parse_request_data(struct berval *req_val, struct extdom_req **_req)
&id);
req->data.posix_gid.gid = (gid_t) id;
break;
+ case INP_CERT:
+ tag = ber_scanf(ber, "a}", &req->data.cert);
+ break;
default:
ber_free(ber, 1);
set_err_msg(req, "Unknown input type");
@@ -383,6 +386,9 @@ void free_req_data(struct extdom_req *req)
case INP_POSIX_GID:
ber_memfree(req->data.posix_gid.domain_name);
break;
+ case INP_CERT:
+ ber_memfree(req->data.cert);
+ break;
}
free(req->err_msg);
@@ -861,10 +867,12 @@ done:
return ret;
}
-static int handle_sid_request(struct ipa_extdom_ctx *ctx,
- struct extdom_req *req,
- enum request_types request_type, const char *sid,
- struct berval **berval)
+static int handle_sid_or_cert_request(struct ipa_extdom_ctx *ctx,
+ struct extdom_req *req,
+ enum request_types request_type,
+ enum input_types input_type,
+ const char *input,
+ struct berval **berval)
{
int ret;
struct passwd pwd;
@@ -878,7 +886,11 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
enum sss_id_type id_type;
struct sss_nss_kv *kv_list = NULL;
- ret = sss_nss_getnamebysid(sid, &fq_name, &id_type);
+ if (input_type == INP_SID) {
+ ret = sss_nss_getnamebysid(input, &fq_name, &id_type);
+ } else {
+ ret = sss_nss_getnamebycert(input, &fq_name, &id_type);
+ }
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
@@ -1135,8 +1147,13 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct extdom_req *req,
break;
case INP_SID:
- ret = handle_sid_request(ctx, req, req->request_type, req->data.sid,
- berval);
+ case INP_CERT:
+ ret = handle_sid_or_cert_request(ctx, req, req->request_type,
+ req->input_type,
+ req->input_type == INP_SID ?
+ req->data.sid :
+ req->data.cert,
+ berval);
break;
case INP_NAME:
ret = handle_name_request(ctx, req, req->request_type,
--
2.4.11
More information about the Freeipa-devel
mailing list