Hi,

this patch allows the extom plugin to lookup users by certificate which
is needed in the case where a IPA client wants to lookup an AD user who
has the certificate stored in AD. To make this work the related patches
I just send to sssd-devel are needed as well.

Currently the patches miss the change in the required version of SSSD.
since the SSSD patches are not committed. But the patches are needed to
fully test the SSSD patches. I will send a new version with the needed
changes to the minimal SSSD version when the SSSD patches are committed.

bye,
Sumit
From b7b84fb4192af70e784c4cee18ff4be532d0f83f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 26 Apr 2016 13:22:40 +0200
Subject: [PATCH] extdom: add certificate request

Related to https://fedorahosted.org/freeipa/ticket/4955
---
 .../ipa-extdom-extop/ipa_extdom.h                  |  4 ++-
 .../ipa-extdom-extop/ipa_extdom_common.c           | 31 +++++++++++++++++-----
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 
a77711977186b702caafa2729dc13090c6031791..aa7855650789448ae4220b33cc2de858883fe302
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -80,7 +80,8 @@ enum input_types {
     INP_SID = 1,
     INP_NAME,
     INP_POSIX_UID,
-    INP_POSIX_GID
+    INP_POSIX_GID,
+    INP_CERT
 };
 
 enum request_types {
@@ -115,6 +116,7 @@ struct extdom_req {
             char *domain_name;
             gid_t gid;
         } posix_gid;
+        char *cert;
     } data;
     char *err_msg;
 };
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 
823c05c810361f121cb46831fb2d4e846729d792..e629247fd771e374d50486d836cd3b0d8d32a78a
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -349,6 +349,9 @@ int parse_request_data(struct berval *req_val, struct 
extdom_req **_req)
                                             &id);
             req->data.posix_gid.gid = (gid_t) id;
             break;
+        case INP_CERT:
+            tag = ber_scanf(ber, "a}", &req->data.cert);
+            break;
         default:
             ber_free(ber, 1);
             set_err_msg(req, "Unknown input type");
@@ -383,6 +386,9 @@ void free_req_data(struct extdom_req *req)
     case INP_POSIX_GID:
         ber_memfree(req->data.posix_gid.domain_name);
         break;
+    case INP_CERT:
+        ber_memfree(req->data.cert);
+        break;
     }
 
     free(req->err_msg);
@@ -861,10 +867,12 @@ done:
     return ret;
 }
 
-static int handle_sid_request(struct ipa_extdom_ctx *ctx,
-                              struct extdom_req *req,
-                              enum request_types request_type, const char *sid,
-                              struct berval **berval)
+static int handle_sid_or_cert_request(struct ipa_extdom_ctx *ctx,
+                                      struct extdom_req *req,
+                                      enum request_types request_type,
+                                      enum input_types input_type,
+                                      const char *input,
+                                      struct berval **berval)
 {
     int ret;
     struct passwd pwd;
@@ -878,7 +886,11 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
     enum sss_id_type id_type;
     struct sss_nss_kv *kv_list = NULL;
 
-    ret = sss_nss_getnamebysid(sid, &fq_name, &id_type);
+    if (input_type == INP_SID) {
+        ret = sss_nss_getnamebysid(input, &fq_name, &id_type);
+    } else {
+        ret = sss_nss_getnamebycert(input, &fq_name, &id_type);
+    }
     if (ret != 0) {
         if (ret == ENOENT) {
             ret = LDAP_NO_SUCH_OBJECT;
@@ -1135,8 +1147,13 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct 
extdom_req *req,
 
         break;
     case INP_SID:
-        ret = handle_sid_request(ctx, req, req->request_type, req->data.sid,
-                                 berval);
+    case INP_CERT:
+        ret = handle_sid_or_cert_request(ctx, req, req->request_type,
+                                         req->input_type,
+                                         req->input_type == INP_SID ?
+                                                                 req->data.sid 
:
+                                                                 
req->data.cert,
+                                         berval);
         break;
     case INP_NAME:
         ret = handle_name_request(ctx, req, req->request_type,
-- 
2.4.11

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to