The ACL was working correctly only in a subset of cases, due to the code
overwriting cases when a client or target was found on later checks.

This fixes it and makes multiple targets/clients configurations work
properly.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From b6fd2b246280cf41ad03c7e5cd453030c86c5e4f Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Tue, 28 Feb 2012 10:47:18 -0500
Subject: [PATCH] ipa-kdb: fix delegation acl check

We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
---
 daemons/ipa-kdb/ipa_kdb_delegation.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c
index 579a9f3157d260679898668432cf23789993a793..5ae5e0d9d090a92b622e926e0bff538d979a4936 100644
--- a/daemons/ipa-kdb/ipa_kdb_delegation.c
+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c
@@ -140,7 +140,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext,
         switch (ret) {
         case 0:
             for (dres = deref_results; dres; dres = dres->next) {
-                if (strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) {
+                if (client_found == false &&
+                    strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) {
                     /* NOTE: client_missing is used to signal that the
                      * attribute was completely missing. This signals that
                      * ANY client is allowed to be impersonated.
@@ -148,7 +149,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext,
                     client_missing = false;
                     client_found = ipadb_match_member(client_princ, dres);
                 }
-                if (strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) {
+                if (target_found == false &&
+                    strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) {
                     target_found = ipadb_match_member(target_princ, dres);
                 }
             }
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to